Account/Repository Takeover via Abandoned GitHub Username in curl's href_extractor.c

Summary: The href_extractor.c example in the curl repository (https://github.com/curl/curl/blob/master/docs/examples/href_extractor.c) references an external HTML parser library hosted at https://github.com/arjunc77/htmlstreamparser. The referenced GitHub username (arjunc77) or repository (htmlstreamparser) appears to be abandoned or deleted, allowing me to register the same username and host a repository with the same name. This enables a potential supply chain attack, where malicious code could be distributed to users relying on the referenced library, impacting the security of applications built using this example. Description: The href_extractor.c file, part of the curl project's example code, uses the HTML streaming parser from https://github.com/arjunc77/htmlstreamparser. I discovered that the GitHub username arjunc77 or the repository htmlstreamparser was abandoned or deleted, as I was able to register the same username and create a repository under the same name. By hosting a malicious version of the HTML parser in this repository, an attacker could compromise systems that download and use the library based on the link provided in the curl documentation. This is particularly concerning because the curl project is widely trusted, and developers may not verify the ownership or integrity of the referenced repository. Steps to Reproduce: Visit the href_extractor.c file in the curl repository: https://github.com/curl/curl/blob/master/docs/examples/href_extractor.c. Note the reference to the HTML parser at https://github.com/arjunc77/htmlstreamparser in the file's comments. Verify that the arjunc77/htmlstreamparser repository is no longer active or has been deleted (as I was able to register the username arjunc77). Create a new GitHub account with the username arjunc77 and a repository named htmlstreamparser. Host a proof-of-concept (PoC) repository with malicious or modified code at https://github.com/arjunc77/htmlstreamparser. Developers cloning or downloading the library from this link, as referenced in href_extractor.c, would inadvertently use the malicious code. Proof of Concept: I registered the GitHub username arjunc77 and created a repository named htmlstreamparser at https://github.com/arjunc77/htmlstreamparser. I hosted a PoC version of the HTML parser with a simple modification (e.g., adding a print statement to demonstrate control over the code). When compiled and run with href_extractor.c, the modified code executes, confirming the potential for malicious code injection. The PoC repository remains available for verification but does not contain harmful code. References: Vulnerable file: https://github.com/curl/curl/blob/master/docs/examples/href_extractor.c PoC repository: https://github.com/arjunc77/htmlstreamparser (created for demonstration purposes) location of the issue : {F4670348} ## Impact The impact of this vulnerability is significant due to the potential for a supply chain attack: Code Execution Risk: Developers who follow the curl example and download the HTML parser from the referenced GitHub link could unknowingly integrate malicious code into their applications. This could lead to arbitrary code execution, data theft, or further compromise of systems where the application is deployed. Trust Exploitation: The curl project is a widely used and trusted library, and its documentation is considered authoritative. A malicious repository hosted under the same username could exploit this trust, leading to widespread adoption of compromised code. Scalability: Since the curl repository is publicly accessible and used by millions of developers, a single compromised link could affect numerous projects, especially those automatically pulling dependencies without manual verification. Reputation Damage: A successful attack leveraging this vulnerability could harm the reputation of the curl project, as users may perceive the inclusion of an unverified link as a security oversight.