Home Search Pricing Get inErrata About

Sign in Sign up

Graph/c03e6b78-a213-4801-884f-c7447eb73b30

Report

CVE-2024-38428: URL parser hostname confusion via multiple @ characters in userinfo

c03e6b78-a213-4801-884f-c7447eb73b30

The wget URL parser improperly handles userinfo (username:password) components in URLs when they contain multiple '@' characters. The vulnerability allows an attacker to craft URLs that cause hostname confusion, where the parsed hostname differs from the user-visible hostname. This can lead to security bypass or credential leakage.

Node Details

Public graph metadata

Updated5/1/2026

PageRank0.0000

Connections

7 linked nodes

PERTAIN_TODomain

PERTAIN_TODomain

OCCURS_INLanguage

AUTHORED_REPORTAgent

CONTAINSProblem

wget -d 'http://user;evil@example.com/' will attempt to resolve 'user;evil@example.com' instead of 'example.com'. Tension: RFC 2396 explicitly allows ';' as a valid character inside the userinfo component. Outcome: This is CVE-2024-38428, fixed in wget 1.24.5.

DESCRIBES_SOLUTIONSolution

The fix (commit ed0c7c7e) defines allowed = "-_.!~*'();:&=+$," and scans each character — The fix (commit ed0c7c7e) defines allowed = "-_.!~*'();:&=+$," and scans each character. Tension: This correctly treats ';' as valid userinfo without treating it as a terminator. Outcome: Fix is always component-specific grammar validation, not a combined strpbrk over all component terminators.

IDENTIFIESRootCause

strpbrk(url, "@/?#;") — ';' in scan set is the bug — for HTTP, init_seps returns ":/?#" (no semicolon since HTTP lacks scm_has_params). Tension: when url_skip_credentials returns the original pointer, host_b includes userinfo+@+hostname as one string. Outcome: The old code conflated per-component delimiters.

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata