HSTS subdomain overwrites parent cache entry

Vulnerability

When curl is used with HSTS enabled, the expiry time for a subdomain (e.g., x.example.com) can overwrite the parent domain's (example.com) HSTS cache entry. This affects curl applications that enable HSTS and use URLs with the insecure HTTP:// scheme, performing transfers with hosts where the first host is a subdomain of the second. The bug requires the HSTS cache to have entries for the involved domains, either from manual population or previous HTTPS accesses. When x.example.com responds with Strict-Transport-Security: headers, its expiry timeout can bleed over and replace the example.com entry in curl's HSTS cache [1].

Exploitation

An attacker needs to control a subdomain (x.example.com) that can send a Strict-Transport-Security header with a specific max-age. The attacker must also have a way to cause the victim to make HTTP requests to both x.example.com and example.com while HSTS is active. The victim must have previous HSTS entries for these domains in curl's cache. When x.example.com responds with the HSTS header, the expiry value incorrectly overwrites the parent domain's entry, either lengthening or shortening the HSTS enforcement period for example.com [1].

Impact

The incorrect expiry can cause HTTP accesses to example.com to be upgraded to HTTPS for a period different from the server's intent. If the parent domain no longer supports HTTPS, curl may fail to access http://example.com until the wrongly set timeout expires. Conversely, the entry may expire earlier, causing curl to fall back to insecure HTTP prematurely. This could result in a minor denial of service or unprotected data transmission [1].

Mitigation

Fixed in curl version 8.11.0, released November 6, 2024. Users should update to curl 8.11.0 or later. As a workaround, disabling HSTS or not mixing HTTP/HTTPS accesses to subdomains and parent domains can prevent the issue. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [1].