Karl Henselin

**Name of the Vulnerable Software and Affected Versions** curl versions 7.12.3 through 7.58.0 **Description** A buffer overflow exists in the FTP URL handling of curl, allowing an attacker to cause a denial of service or worse. The vulnerability is triggered when curl is told to work on an FTP URL with the setting to only issue a single CWD command. The `--ftp-method singlecwd` or the libcurl alternative `CURLOPT FTP FILEMETHOD` can be used to exploit this issue. If the directory part of the URL contains a `%00` sequence, the directory length might end up shorter than the file name path, making the calculation `size t index = directory len - filepart len` end up with a huge index variable for where the zero byte gets stored. This can lead to overwriting memory before the intended heap buffer. **Recommendations** For curl versions 7.12.3 through 7.58.0, consider disabling the `--ftp-method singlecwd` option or the libcurl alternative `CURLOPT FTP FILEMETHOD` to minimize the risk of exploitation. Avoid using FTP URLs with the `%00` sequence in the directory part until the issue is resolved. As a temporary workaround, restrict access to the FTP URL handling functionality to prevent potential attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.