libcurl Cross-Proxy Digest Authentication State Leak Vulnerability

A vulnerability exists in libcurl versions 7.12.0 through 8.19.0, where the library improperly manages Digest authentication headers when switching between HTTP proxies. Specifically, if a transfer is completed using one proxy (proxyA) and the same handle is reused to transfer data through a second proxy (proxyB), libcurl erroneously transmits the Proxy-Authorization header intended for proxyA to proxyB. This flaw allows an attacker-controlled proxyB to impersonate the client to proxyA by replaying the intercepted authentication header, which contains valid credentials. Although the request details to proxyB do not disclose proxyA's identity, this vulnerability could still be exploited under certain conditions.

Impact

Exploitation of this vulnerability leads to a cross-proxy authentication boundary violation, where an attacker can replay intercepted Digest authentication headers to a proxy server, bypassing normal authentication processes.

Reproduction

The vulnerability can be reproduced by first sending a request through a proxy that requires Digest authentication. After the authentication is completed, the proxy is changed to a second one while reusing the same handle. The first request to the second proxy will incorrectly include the Digest authentication header from the first proxy, allowing for unauthorized authentication.

Remediation

Users are advised to upgrade libcurl to version 8.20.0, apply the available patch, or avoid reusing handles when changing proxies.