CVE-2022-35260 - Curl .netrc Buffer Overflow Flaw—What You Need To Know

If you use curl in your applications for fetching data or interacting with APIs, you may be relying on its .netrc file support for automated credential management. However, a critical vulnerability surfaced in 2022—CVE-2022-35260—showing that parsing a specially crafted .netrc file can crash your process or even allow more serious exploits under rare circumstances.

This post breaks it down in everyday language, looks at the actual bug, shows what it looks like in code, and advises what you should do.

What Is .netrc and How Does Curl Use It?

The .netrc file is a plain text file letting users specify which credentials (username and password) should be used by tools like curl when connecting to a specified host. For example:

machine example.org
login myusername
password mypassword

Curl will look for a .netrc file in your home directory if you pass -n or --netrc or with --netrc-file, making things easier for scripts—not having to expose passwords in command lines.

What Is CVE-2022-35260?

In July 2022, the curl developers disclosed that versions of curl (up to 7.84.) contain a buffer overflow bug when parsing a .netrc file.

Vulnerability Explained

- The bug triggers if .netrc ends with a _very_ long line—4095 or more non-space characters at the end of the file, with no terminating newline.

It can then write a zero byte (\) *past the end* of the buffer (classic off-by-one bug).

- Result? The process might crash (segmentation fault) or, in simply unlucky cases, maybe allow more controlled exploitation.

The code responsible, in older curl sources, allocates a 4096-byte buffer for parsing each line

#define NETRC_LINE_LEN 4096
char netrcbuffer[NETRC_LINE_LEN];

It expects to fill it per line and end it with a \ bytes. With a .netrc that has a last line exactly filling the buffer and *missing* a final newline, there's no clear signal the line is over. When the code tries to null-terminate, it writes the zero just *after* the buffer.

Here’s how a problematic .netrc might look (don’t do this on systems you care about)

machine attackhost login aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa......<4095 a's no newline here>

Under some circumstances, using curl --netrc with this file would crash curl or your script.

Proof-of-Concept Exploit

Suppose you have a system where an untrusted user (or attacker) can supply a .netrc file (for example, in a web application using curl in the backend).

Here’s a simple bash script to create a triggering file and see the crash

# Make a file with 4095 non-space, non-newline chars (e.g., 'A')
perl -e 'print "A"x4095' > .netrc

# Try to run curl with that .netrc file
curl --netrc-file .netrc https://example.com

Very likely, you’ll see

Segmentation fault (core dumped)

This indicates the program wrote past its buffer and crashed.

Impact

- Crash (Denial-of-Service): The most likely effect is that curl (or anything using libcurl) will segfault. For most users, this means scripts and apps relying on curl will fail—sometimes unpredictably.
- Potential Exploitation: Exploiting this for further code execution is much more complex, but cannot be ruled out in theory, depending on system protections.
- Scope: Any app or script which passes user-controlled .netrc files to curl/libcurl can be at risk.

Fixed Versions

- The bug is fixed in curl 7.85..

curl --version

<br>- Upgrade if you're on anything older than 7.85..<br><br>---<br><br>## What Should You Do?<br><br>- <b>Update curl and libcurl</b> to version 7.85. or newer—especially on servers where users can supply their own .netrc files.<br>- For applications running as different users or accepting user uploads, <b>never trust user-supplied .netrc files</b> on old versions.<br>- If you can’t update, disable curl’s .netrc feature (--netrc-optional or avoid --netrc` options).

---

## More Info and References

- Official CVE Report: NVD - CVE-2022-35260
- Curl Security Documentation: curl.se/docs/CVE-2022-35260.html
- Curl Source Fix: GitHub PR #9399

---

## Summary Table

| Risk                   | Fixed In     | Attack Path        | Typical Impact  |
|------------------------|--------------|--------------------|-----------------|
| Buffer overflow in .netrc parsing | curl 7.85. | Malicious .netrc (no final newline, long line) | Crash or DOS |

---

## Bottom Line

Always update core network tools like curl. Even highly trusted and widely used utilities can have surprising bugs, with real impact—especially when third-party or user input is involved. This vulnerability is mostly exploitable for denial-of-service, but it’s a sharp reminder: simple text file parsing can go wrong!

If you’re maintaining legacy systems—consider this a reason to finally patch.

---

*For curl security updates, see curl security advisories. If you want to test your own tools, try the exploit snippet above and always use safe, disposable environments.*

Timeline

Published on: 12/05/2022 22:15:00 UTC
Last modified on: 12/07/2022 15:14:00 UTC