{"id":"CURL-CVE-2018-1000120","summary":"FTP path trickery leads to NIL byte out of bounds write","details":"curl can be fooled into writing a zero byte out of bounds.\n\nThis bug can trigger when curl is told to work on an FTP URL, with the setting\nto only issue a single CWD command (`--ftp-method singlecwd` or the libcurl\nalternative `CURLOPT_FTP_FILEMETHOD`).\n\ncurl then URL-decodes the given path, calls strlen() on the result and deducts\nthe length of the filename part to find the end of the directory within the\nbuffer. It then writes a zero byte on that index, in a buffer allocated on the\nheap.\n\nIf the directory part of the URL contains a \"%00\" sequence, the directory\nlength might end up shorter than the filename path, making the calculation\n`size_t index = directory_len - filepart_len` end up with a huge index\nvariable for where the zero byte gets stored: `heap_buffer[index] = 0`. On\nseveral architectures that huge index wraps and works as a negative value,\nthus overwriting memory *before* the intended heap buffer.\n\nBy using different file part lengths and putting %00 in different places in\nthe URL, an attacker that can control what paths a curl-using application uses\ncan write that zero byte on different indexes.","aliases":["CVE-2018-1000120","GHSA-674j-7m97-j2p9"],"modified":"2026-04-25T20:38:47.427688Z","published":"2018-03-14T08:00:00Z","database_specific":{"package":"curl","CWE":{"desc":"Heap-based Buffer Overflow","id":"CWE-122"},"www":"https://curl.se/docs/CVE-2018-1000120.html","last_affected":"7.58.0","affects":"both","URL":"https://curl.se/docs/CVE-2018-1000120.json","severity":"High"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.12.3"},{"fixed":"7.59.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"6e1e9caa32da099569bb95e64faf0b5f3cf103b5"},{"fixed":"535432c0adb62fe167ec09621500470b6fa4eb0f"}]}],"versions":["7.58.0","7.57.0","7.56.1","7.56.0","7.55.1","7.55.0","7.54.1","7.54.0","7.53.1","7.53.0","7.52.1","7.52.0","7.51.0","7.50.3","7.50.2","7.50.1","7.50.0","7.49.1","7.49.0","7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0","7.40.0","7.39.0","7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0","7.33.0","7.32.0","7.31.0","7.30.0","7.29.0","7.28.1","7.28.0","7.27.0","7.26.0","7.25.0","7.24.0","7.23.1","7.23.0","7.22.0","7.21.7","7.21.6","7.21.5","7.21.4","7.21.3","7.21.2","7.21.1","7.21.0","7.20.1","7.20.0","7.19.7","7.19.6","7.19.5","7.19.4","7.19.3","7.19.2","7.19.1","7.19.0","7.18.2","7.18.1","7.18.0","7.17.1","7.17.0","7.16.4","7.16.3","7.16.2","7.16.1","7.16.0","7.15.5","7.15.4","7.15.3","7.15.2","7.15.1","7.15.0","7.14.1","7.14.0","7.13.2","7.13.1","7.13.0","7.12.3"],"database_specific":{"vanir_signatures_modified":"2026-04-25T20:38:47Z","vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["186785845436151373612249911977958489167","139368412014933340594086933420174292978","70225530077095739146651377461514758151","315143483916214608334710777218089290124","330558257654468377878934021755801694908","254969999324771221931386190909434168886","314505041855647615494139870984025356690","193603554521551770788174899501257487744","218104536554178230123180371501278426620","249311429039464347119097856005670027110","1949081060692883523800352474588507207","213361387690354360733145989391887781117","208717138941869647486339912054043560965","269526386197135474816625635309184114445","66234633984291063582401520848155751934","309919340248357245579399319652351958555"]},"source":"https://github.com/curl/curl.git/commit/535432c0adb62fe167ec09621500470b6fa4eb0f","signature_type":"Line","signature_version":"v1","deprecated":false,"target":{"file":"lib/ftp.c"},"id":"CURL-CVE-2018-1000120-1a41fdc7"},{"digest":{"length":925,"function_hash":"165261537492784234712649842191490061433"},"source":"https://github.com/curl/curl.git/commit/535432c0adb62fe167ec09621500470b6fa4eb0f","signature_type":"Function","signature_version":"v1","deprecated":false,"target":{"file":"lib/ftp.c","function":"ftp_state_list"},"id":"CURL-CVE-2018-1000120-3930517d"},{"digest":{"length":3107,"function_hash":"53816560832323379067076410399629338950"},"source":"https://github.com/curl/curl.git/commit/535432c0adb62fe167ec09621500470b6fa4eb0f","signature_type":"Function","signature_version":"v1","deprecated":false,"target":{"file":"lib/ftp.c","function":"ftp_parse_url_path"},"id":"CURL-CVE-2018-1000120-3dc55c90"},{"digest":{"length":4608,"function_hash":"250530457694557457073913850752791544424"},"source":"https://github.com/curl/curl.git/commit/535432c0adb62fe167ec09621500470b6fa4eb0f","signature_type":"Function","signature_version":"v1","deprecated":false,"target":{"file":"lib/ftp.c","function":"ftp_done"},"id":"CURL-CVE-2018-1000120-e7d820bb"}],"source":"https://curl.se/docs/CURL-CVE-2018-1000120.json"}}],"schema_version":"1.7.5","credits":[{"name":"Duy Phan Thanh","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}