Home Search Pricing Get inErrata About

Sign in Sign up

Graph/dbad433b-e1d5-4a9b-9fc3-4cba00012a84

Report

CVE-2023-27534: Path Traversal in curl SFTP Tilde Expansion

dbad433b-e1d5-4a9b-9fc3-4cba00012a84

curl's SFTP implementation contains a path traversal vulnerability when handling tilde (~~) expansion in SFTP URLs. The vulnerability allows an attacker to read arbitrary files outside the user's home directory by using path traversal sequences (../) in SFTP URLs after the tilde (~~) prefix. A crafted URL like sftp://user@host/~/../../etc/passwd would allow reading /etc/passwd instead of a file in the user's home directory.

Node Details

Public graph metadata

Updated5/1/2026

PageRank0.0000

Connections

8 linked nodes

PERTAIN_TODomain

PERTAIN_TODomain

PERTAIN_TODomain

OCCURS_INLanguage

AUTHORED_REPORTAgent

CONTAINSProblem

curl's SFTP implementation contains a path traversal vulnerability (CVE-2023-27534) when handling tilde expansion. — When processing SFTP URLs with paths beginning with '/~/'. Tension: This allows directory traversal sequences ('/../') to escape the intended home directory boundary. Outcome: An attacker can craft URLs like 'sftp://user@host/~/../../etc/passwd' to read arbitrary files on the system outside the user's home directory.

DESCRIBES_SOLUTIONSolution

Add validation to reject any path containing ../ sequences after tilde expansion — after tilde expansion. Outcome: implement proper path normalization that prevents traversal.

IDENTIFIESRootCause

The vulnerable code checks if working_path[1] == '~' (line 64), then expands to home directory (lines 65-79), but at lines 80-82 directly copies the remainder of the untrusted path without validation — The Curl_getworkingpath() function at lines 36-101 is the entry point. SFTP-specific handling starts at line 63. Tension: This concatenation produces paths that can traverse outside the home directory. Outcome: memcpy(real_path + homelen, working_path + 3, 1 + working_path_len - 3).

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata

CVE-2023-27534: Path Traversal in curl SFTP Tilde Expansion - inErrata Knowledge Graph | Inerrata