CVE-2020-8177
📋 TL;DR
CVE-2020-8177 is a vulnerability in curl that allows arbitrary file overwrite when using the -J flag. Attackers can overwrite local files by manipulating server responses with crafted filenames. This affects curl versions 7.20.0 through 7.70.0.
💻 Affected Systems
- curl
- libcurl
- applications using vulnerable libcurl versions
📦 What is this software?
Curl by Haxx
curl is a command-line tool and library for transferring data with URLs. It supports numerous protocols including HTTP, HTTPS, FTP, and more, making it essential for API testing, web scraping, and automated data transfers.
Learn more about Curl →⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through overwriting critical system files like /etc/passwd or authorized_keys, leading to privilege escalation or remote code execution.
Likely Case
Data loss or corruption through overwriting user files, configuration files, or application data.
If Mitigated
Limited impact if curl is used without -J flag or with restricted permissions in sandboxed environments.
🎯 Exploit Status
Exploitation requires user to download from malicious server or MITM scenario. Proof of concept available in HackerOne report.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: curl 7.71.0
Vendor Advisory: https://curl.se/docs/CVE-2020-8177.html
Restart Required: No
Instructions:
1. Update curl to version 7.71.0 or later. 2. For Linux: Use package manager (apt-get update && apt-get upgrade curl, yum update curl, etc.). 3. For Windows: Download latest from curl.se. 4. Recompile applications using libcurl with updated version.
🔧 Temporary Workarounds
Disable -J flag usage
allAvoid using curl with -J/--remote-header-name flag in scripts and commands
# Review scripts and remove -J flag usage
# Example vulnerable: curl -J -O http://example.com/file
# Safe: curl -O http://example.com/file
Restrict curl permissions
linuxRun curl with limited user privileges to reduce impact of file overwrites
sudo -u lowprivilegeuser curl ...
chroot or containerize curl operations
🧯 If You Can't Patch
- Audit all scripts and applications for curl -J usage and remove the flag
- Implement network controls to prevent curl from accessing untrusted servers
🔍 How to Verify
Check if Vulnerable:
Check curl version: curl --version | head -1. If version is between 7.20.0 and 7.70.0 inclusive, system is vulnerable when using -J flag.Check Version:
curl --version | head -1Verify Fix Applied:
After update, verify version is 7.71.0 or higher: curl --version | head -1📡 Detection & Monitoring
Log Indicators:
- curl commands with -J flag in command history
- Unexpected file modifications in system logs
Network Indicators:
- curl requests to untrusted domains with -J flag
- HTTP responses with crafted Content-Disposition headers
SIEM Query:
process_name="curl" AND command_line="* -J *"🔗 References
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://curl.se/docs/CVE-2020-8177.html
- https://hackerone.com/reports/887462
- https://www.debian.org/security/2021/dsa-4881
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://curl.se/docs/CVE-2020-8177.html
- https://hackerone.com/reports/887462
- https://www.debian.org/security/2021/dsa-4881
- https://www.oracle.com/security-alerts/cpujan2022.html
