CVE CyberSecurity Database News

CVE-2023-32001 - How libcurl’s Cookie, HSTS, and Alt-Svc File Saving Was Vulnerable to Dangerous Race Conditions

Poster -

In May 2023, a critical vulnerability—CVE-2023-32001—was revealed in libcurl, a widely used client-side URL transfer library. This bug exposed a Time-Of-Check to Time-Of-Use (TOCTOU) race condition when libcurl saved cookie, HSTS, or alt-svc data to files, opening the door for attackers to overwrite or create files they shouldn’t have access to. In this post, we’ll break down the vulnerability, explain why it’s a problem (in plain english), show you sample exploit code, and point you to the original resources.

What’s the problem? (Simple Explanation)

libcurl lets apps save data to files about cookies, HSTS rules, and alternative service mappings. When it’s about to save this data, it checks if the target file is OK (using stat()) before it actually opens the file to write (using fopen()):

fopen(): Actually opens the file for writing.

The problem is that these actions aren’t atomic—they aren’t one single step. So, in the little window between the check and the open, a sneaky attacker can replace the file path with a symbolic link to, for example, a protected system file.

Result: libcurl could __overwrite/damage confidential or system files__—something it was never meant to do.

Why is it dangerous?

If an attacker can mess with or predict the filename (sometimes possible in temporary folders), they can get libcurl to save cookie/HSTS/alt-svc data to files like .ssh/authorized_keys, .bashrc, or even system config files. That means:

- Overwriting user/infrastructure-critical files

Here’s what the problematic (pseudo)code looked like

struct stat fileinfo;
if(stat(filename, &fileinfo) == ) {
    FILE *fp = fopen(filename, "w");
    if(fp) {
        // write data
        fclose(fp);
    }
}

Between stat() and fopen(), an attacker can atomic-swap the file with a symlink or other object, and fopen() ends up operating on an unintended target.

Proof-of-Concept (PoC) Exploit

The easiest way to demonstrate the problem is with a symbolic link (symlink) attack.

Let’s say libcurl is saving cookies to /tmp/cookies.txt. Here’s how an attacker could exploit a race:

`bash

touch /tmp/cookies.txt

import time

target = "/etc/passwd"  # the file to be overwritten!
   victim = "/tmp/cookies.txt"

`bash

curl --cookie-jar /tmp/cookies.txt http://example.com

`

4. If the timing is right, curl ends up writing its data into /etc/passwd (or another target file), corrupting or overwriting the system file!

Original References

- Official curl Security Advisory
- NIST CVE Record
- curl commit fixing the issue

Upgrade to libcurl 8.1.2 or later—the bug is fixed there.

- Avoid saving cookie/HSTS/alt-svc data to shared or world-writable directories (like /tmp) if possible.

Conclusion

CVE-2023-32001 is a classic, yet dangerous, example of why TOCTOU (Time-Of-Check to Time-Of-Use) problems matter in system software—even in something as common as curl. Simple “check then use” patterns aren’t safe in shared environments. Always keep your libraries updated and be careful about where application data lands.


If you’re maintaining systems or software that use libcurl, patch now and double-check your file-saving logic!

Timeline

Published on: 07/26/2023 21:15:00 UTC
Last modified on: 08/03/2023 15:11:00 UTC