curl and libcurl QUIC Certificate Verification Bypass Vulnerability

A vulnerability exists in curl and libcurl versions 8.8.0 through 8.13.0, when built with wolfSSL as the TLS backend. The issue arises because the library skips proper certificate verification for QUIC connections to IP addresses, leaving users vulnerable to man-in-the-middle attacks. This flaw was introduced in curl 8.8.0 and also affects the curl command line tool.

Impact

The vulnerability allows for man-in-the-middle attacks by bypassing certificate verification for QUIC connections to IP addresses.

Reproduction

To reproduce this vulnerability, use curl version 8.8.0 to 8.13.0 with the wolfSSL backend. Connect to a host using an IP address over HTTP/3. The connection will succeed without proper certificate verification, unlike with HTTP/1.1, where the verification failure is correctly handled.

Remediation

Users can upgrade to curl version 8.14.0 or apply the patch available in the curl GitHub repository. Instructions for upgrading or applying the patch can be found in the curl documentation.