Skip to content

Instantly share code, notes, and snippets.

@bagder

bagder/slop.md

Last active November 13, 2025 19:30
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save bagder/07f7581f6e3d78ef37dfbfc81fd1d1cd to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save bagder/07f7581f6e3d78ef37dfbfc81fd1d1cd to your computer and use it in GitHub Desktop.
Download ZIP
AI slop security reports submitted to curl
Raw
slop.md

Slop

This collection is limited to only include the reports that were submitted as security vulnerabilities to the curl bug-bounty program on Hackerone.

Several other issues not included here are highly suspcious as well.

Reports

  1. [Critical] Curl CVE-2023-38545 vulnerability code changes are disclosed on the internet. #2199174
  2. Buffer Overflow Vulnerability in WebSocket Handling #2298307
  3. Exploitable Format String Vulnerability in curl_mfprintf Function #2819666
  4. Buffer overflow in strcpy #2823554
  5. Buffer Overflow Vulnerability in strcpy() Leading to Remote Code Execution #2871792
  6. Buffer Overflow Risk in Curl_inet_ntop and inet_ntop4 #2887487
  7. bypass of this Fixed #2437131 [ Inadequate Protocol Restriction Enforcement in curl ] #2905552
  8. Hackers Attack Curl Vulnerability Accessing Sensitive Information #2912277
  9. ("possible") UAF #2981245
  10. Path Traversal Vulnerability in curl via Unsanitized IPFS_PATH Environment Variable #3100073
  11. Buffer Overflow in curl MQTT Test Server (tests/server/mqttd.c) via Malicious CONNECT Packet #3101127
  12. Use of a Broken or Risky Cryptographic Algorithm (CWE-327) in libcurl #3116935
  13. Double Free Vulnerability in libcurl Cookie Management (cookie.c) #3117697
  14. HTTP/2 CONTINUATION Flood Vulnerability #3125820
  15. HTTP/3 Stream Dependency Cycle Exploit #3125832
  16. Memory Leak #3137657
  17. Memory Leak in libcurl via Location Header Handling (CWE-770) #3158093
  18. Stack-based Buffer Overflow in TELNET NEW_ENV Option Handling #3230082
  19. HTTP Proxy Bypass via CURLOPT_CUSTOMREQUEST Verb Tunneling #3231321
  20. Use-After-Free in OpenSSL Keylog Callback via SSL_get_ex_data() in libcurl #3242005
  21. HTTP Request Smuggling Vulnerability Analysis - cURL Security Report #3249936
  22. Disk Space Exhaustion leading to a Denial of Service (DoS) #3250490
  23. Vulnerability Report: Public Exposure of Security Audit File #3272982
  24. Vulnerability Report: Local File Disclosure via file:// Protocol in cURL #3293884
  25. Exposure of Hard-coded Private Keys and Credentials in curl Source Repository (CWE-321) #3295650
  26. TOCTOU Race Condition in HTTP/2 Connection Reuse Leads to Certificate Validation Bypass #3335085
  27. Stack Buffer Overflow in cURL Cookie Parsing Leads to RCE #3340109
  28. Timing Attack Vulnerability in curl Digest Authentication via Non-Constant-Time String Comparison #3346118
  29. Buffer Overflow in WebSocket Handshake (lib/ws.c:1287) #3392174
  30. Use of Deprecated strcpy() with Fixed-Size Buffers in Progress Time Formatting #3395218
  31. Use of Deprecated strcpy() with User-Controlled Environment Variable in Memory Debug Initialization #3395227
  32. Integer Overflow to Heap Overflow in DoH Response Handling #3399774
  33. CURLX_SET_BINMODE(NULL) can call fileno(NULL) and cause undefined behavior / crash #3400831
  34. Logical Flaw in curl_url_set Leads to Inconsistent Query Parameter Encoding #3403880
  35. Unsafe use of strcpy in Curl_ldap_err2string (packages/OS400/os400sys.c) — stack-buffer-overflow (PoC + ASan) #3418528

Policy

Our current policy says that we instantly ban all reporters submitting AI slop.

SLOP

@HJ-OwO
Copy link

HJ-OwO commented Oct 15, 2025

It's laughable to see some motherless idiot claiming to have discovered a vulnerability with minimal effort (maybe just a few minutes) and no verification, all in the hopes of winning a prize. If I were like you, and were to verify this claim and discover it was false, driven by AI hallucination, I'd want to smash my monitor. I applaud and commend your patience in responding to each and every one of these useless pieces of garbage.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment