curl and libcurl Passphrase Bypass Vulnerability in libssh Backend

A vulnerability exists in curl and libcurl versions 7.58.0 through 8.17.0, when the application is built with the libssh backend. During SSH transfers via SCP or SFTP, curl incorrectly defaults to using a local SSH agent for public key authentication, bypassing the need for the key passphrase. This issue arises from an unexpected behavior in the libssh API, which falls back on agent authentication. As a result, if the SSH agent has the correct passphrase, authentication succeeds, even when the agent option is not explicitly set.

Impact

This vulnerability allows users to authenticate using SSH keys without entering the required passphrase, potentially undermining security protocols that rely on passphrase protection. However, this issue only affects users who have an SSH agent running with the appropriate keys loaded.

Reproduction

To reproduce this vulnerability, first ensure that curl is compiled with the libssh backend. Then, use a proof-of-concept application that initiates an SFTP transfer while specifying public key authentication. If an SSH agent is running with the user's key loaded, the transfer will be authenticated without requiring the passphrase, demonstrating the bypass.

Remediation

Users can upgrade to curl version 8.18.0 or later, or build curl with the libssh2 backend to avoid this vulnerability.