curl does not parse the authority component of the URL correctly when the host
name part ends with a hash (#
) character, and could instead be tricked into
connecting to a different host. This may have security implications if you for
example use a URL parser that follows the RFC to check for allowed domains
before using curl to request them.
Passing in http://example.com#@evil.com/x.txt
would wrongly make curl send a
request to evil.com while your browser would connect to example.com given the
same URL.
The problem exists for most protocol schemes.
{ "CWE": { "id": "CWE-172", "desc": "Encoding Error" }, "package": "curl", "URL": "https://curl.se/docs/CVE-2016-8624.json", "severity": "Medium", "www": "https://curl.se/docs/CVE-2016-8624.html", "last_affected": "7.50.3" }