curl QUIC Certificate Pinning Vulnerability with GnuTLS Allowing Impersonation

A vulnerability exists in curl versions 8.8.0 through 8.17.0 when the CURLOPT_PINNEDPUBLICKEY option is used with libcurl or the --pinnedpubkey option is used with the curl command-line tool. Under these conditions, curl is supposed to verify the public key of the server certificate to ensure the authenticity of the peer. However, this verification was bypassed in specific scenarios, particularly when using QUIC with ngtcp2, GnuTLS as the TLS library, and with standard certificate verification disabled. This oversight could allow an attacker to impersonate a server without being detected. It's important to note that this issue does not arise when connecting over HTTP/1 or HTTP/2, where the pinning check functions correctly.

Impact

The vulnerability could lead to improper certificate validation, allowing for potential man-in-the-middle attacks by impersonating a server.

Remediation

Users are advised to upgrade curl to version 8.18.0, build curl with a different TLS library, or avoid using HTTP/3.