CURL-CVE-2023-27534
- Source
- https://curl.se/docs/CVE-2023-27534.html
- Import Source
- https://curl.se/docs/CURL-CVE-2023-27534.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CURL-CVE-2023-27534
- Aliases
- Published
- 2023-03-20T08:00:00Z
- Modified
- 2026-05-18T23:10:34.317094Z
- Summary
- SFTP path ~ resolving discrepancy
- Details
-
curl supports SFTP transfers. curl's SFTP implementation offers a special feature in the path component of URLs: a tilde (
~) character as the first path element in the path to denotes a path relative to the user's home directory. This is supported because of wording in the once proposed to-become RFC draft that was to dictate how SFTP URLs work.Due to a bug, the handling of the tilde in SFTP path did however not only replace it when it is used stand-alone as the first path element but also wrongly when used as a mere prefix in the first element.
Using a path like
/~2/foowhen accessing a server using the userdan(with home directory/home/dan) would then quite surprisingly access the file/home/dan2/foo.This can be taken advantage of to circumvent filtering or worse.
- Database specific
{ "last_affected": "7.88.1", "award": { "currency": "USD", "amount": "480" }, "severity": "Low", "affects": "both", "CWE": { "desc": "Improper Limitation of a Pathname to a Restricted Directory", "id": "CWE-22" }, "www": "https://curl.se/docs/CVE-2023-27534.html", "URL": "https://curl.se/docs/CVE-2023-27534.json", "issue": "https://hackerone.com/reports/1892351", "package": "curl" }- References
-
- Credits
-
-
- Harry Sintonen - FINDER
-
- Daniel Stenberg - REMEDIATION_DEVELOPER
-
Affected packages
Git / github.com/curl/curl.git
Affected ranges
- Type
- SEMVER
- Events
-
Introduced7.18.0Fixed8.0.0
- Type
- GIT
- Repo
- https://github.com/curl/curl.git
- Events
Affected versions
7.*
7.18.0
7.18.1
7.18.2
7.19.0
7.19.1
7.19.2
7.19.3
7.19.4
7.19.5
7.19.6
7.19.7
7.20.0
7.20.1
7.21.0
7.21.1
7.21.2
7.21.3
7.21.4
7.21.5
7.21.6
7.21.7
7.22.0
7.23.0
7.23.1
7.24.0
7.25.0
7.26.0
7.27.0
7.28.0
7.28.1
7.29.0
7.30.0
7.31.0
7.32.0
7.33.0
7.34.0
7.35.0
7.36.0
7.37.0
7.37.1
7.38.0
7.39.0
7.40.0
7.41.0
7.42.0
7.42.1
7.43.0
7.44.0
7.45.0
7.46.0
7.47.0
7.47.1
7.48.0
7.49.0
7.49.1
7.50.0
7.50.1
7.50.2
7.50.3
7.51.0
7.52.0
7.52.1
7.53.0
7.53.1
7.54.0
7.54.1
7.55.0
7.55.1
7.56.0
7.56.1
7.57.0
7.58.0
7.59.0
7.60.0
7.61.0
7.61.1
7.62.0
7.63.0
7.64.0
7.64.1
7.65.0
7.65.1
7.65.2
7.65.3
7.66.0
7.67.0
7.68.0
7.69.0
7.69.1
7.70.0
7.71.0
7.71.1
7.72.0
7.73.0
7.74.0
7.75.0
7.76.0
7.76.1
7.77.0
7.78.0
7.79.0
7.79.1
7.80.0
7.81.0
7.82.0
7.83.0
7.83.1
7.84.0
7.85.0
7.86.0
7.87.0
7.88.0
7.88.1
Other
curl-7_18_0
curl-7_18_1
curl-7_18_2
curl-7_19_0
curl-7_19_1
curl-7_19_2
curl-7_19_3
curl-7_19_4
curl-7_19_5
curl-7_19_6
curl-7_19_7
curl-7_20_0
curl-7_20_1
curl-7_21_0
curl-7_21_1
curl-7_21_2
curl-7_21_3
curl-7_21_4
curl-7_21_5
curl-7_21_6
curl-7_21_7
curl-7_22_0
curl-7_23_0
curl-7_23_1
curl-7_25_0
curl-7_26_0
curl-7_27_0
curl-7_28_0
curl-7_28_1
curl-7_29_0
curl-7_30_0
curl-7_31_0
curl-7_32_0
curl-7_33_0
curl-7_34_0
curl-7_35_0
curl-7_36_0
curl-7_37_0
curl-7_37_1
curl-7_38_0
curl-7_39_0
curl-7_40_0
curl-7_41_0
curl-7_42_0
curl-7_43_0
curl-7_44_0
curl-7_45_0
curl-7_46_0
curl-7_47_0
curl-7_47_1
curl-7_48_0
curl-7_49_0
curl-7_49_1
curl-7_50_0
curl-7_50_1
curl-7_50_2
curl-7_50_3
curl-7_51_0
curl-7_52_0
curl-7_52_1
curl-7_53_0
curl-7_53_1
curl-7_54_0
curl-7_54_1
curl-7_55_0
curl-7_55_1
curl-7_56_0
curl-7_56_1
curl-7_57_0
curl-7_58_0
curl-7_59_0
curl-7_60_0
curl-7_61_0
curl-7_61_1
curl-7_62_0
curl-7_63_0
curl-7_64_0
curl-7_64_1
curl-7_65_0
curl-7_65_1
curl-7_65_2
curl-7_65_3
curl-7_66_0
curl-7_67_0
curl-7_68_0
curl-7_69_0
curl-7_69_1
curl-7_70_0
curl-7_71_0
curl-7_71_1
curl-7_72_0
curl-7_73_0
curl-7_74_0
curl-7_75_0
curl-7_76_0
curl-7_76_1
curl-7_77_0
curl-7_78_0
curl-7_79_0
curl-7_79_1
curl-7_80_0
curl-7_81_0
curl-7_82_0
curl-7_83_0
curl-7_83_1
curl-7_84_0
curl-7_85_0
curl-7_86_0
curl-7_87_0
curl-7_88_0
curl-7_88_1
Database specific
vanir_signatures
[
{
"signature_type": "Function",
"digest": {
"function_hash": "228840074135554431436719030323093654179",
"length": 1162.0
},
"id": "CURL-CVE-2023-27534-41b9bc57",
"signature_version": "v1",
"source": "https://github.com/curl/curl.git/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6",
"target": {
"function": "Curl_getworkingpath",
"file": "lib/curl_path.c"
},
"deprecated": false
},
{
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"218544295992803142351060550016437973059",
"17595090113948442442737404369813994168",
"127099749212024772016832004220242757845",
"193377320314188509804557227397164681671",
"128593626999667703384795045236461924420",
"166500908727351385377023948994925195877",
"164312718496607157671589763048734094643",
"241024227959350370199836703071471749079",
"142363385775755644370728803225874686346",
"24894155868649408036618127898712702512",
"322969720911693821970132461870384462211",
"267269704318405773158920350231518977242",
"114626317354368070713158021065297744152",
"302222549270681719589766286763024689976",
"22695367372254738118545595532995196107",
"63562687785449076694908610682007924595",
"139300319062665313356507615483743702008",
"173293223730354422723121247930875265019",
"192553860508771460009008025076551363558",
"326154242660115391323127878791032655308",
"122444487809622759736426500349637244536",
"249625537427663162852917849078719393486",
"304941522735531985350000096649696213401",
"299871582095206091799004427034611032085",
"20629569223273937240173877834025078004",
"251350689102973709440522639738416094059",
"156192352302548045669514510887390816767",
"101898109192932712250706491865800012857",
"96649043855652563813759725220665959968",
"120977689065159008338668166205124385763",
"173293223730354422723121247930875265019",
"227012376426497601253820692928802671546",
"12413570378180400446243866381344886251",
"203306616924648785618483540586034808563",
"87959606140091949917716476882169532916",
"180519442735749124854477651929287477130",
"10843707057582894148002426623887554465",
"310397967457063354526099098088053995188",
"143856960950009739223417370161638863001",
"227832957307795953550157382558438178924",
"164919229496897240624069036802370089344",
"334030817854875047914307532863676427973",
"20925765012834045928219785870668575700",
"64191071328762438076287199822580165471",
"336973117671902481458599763111284669984",
"153999460614051797763374948783717851513",
"139300319062665313356507615483743702008",
"173293223730354422723121247930875265019",
"332980443351317171627524081174027457346",
"172614800569243312121640488635040898424",
"222352064344804085798479313409624286993",
"252970910987515919464260785484673287410",
"140728092908624700123691564267460159843",
"98216406554028246372000676043079968592",
"109458180892148882097022975793511679746",
"236511837109245670155669349537673282164"
]
},
"id": "CURL-CVE-2023-27534-4c227131",
"signature_version": "v1",
"source": "https://github.com/curl/curl.git/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6",
"target": {
"file": "lib/curl_path.c"
},
"deprecated": false
}
]
source
"https://curl.se/docs/CURL-CVE-2023-27534.json"
vanir_signatures_modified
"2026-05-18T23:10:34Z"