[GH-ISSUE #1588] "Copy cURL" does not escape the @ annotation #1581

New issue

Open

opened 2026-03-03 19:52:38 +03:00 by kerem · 1 comment

kerem commented

2026-03-03 19:52:38 +03:00

Owner

Originally created by @NghiaTranUIT on GitHub (Mar 29, 2023).
Original GitHub issue: https://github.com/ProxymanApp/Proxyman/issues/1588

Originally assigned to: @NghiaTranUIT on GitHub.

Description

A Security Analyst reports that the "Copy cURL" has a small security vulnerability. By using -d for the data, cURL automatically treats the @ as a file, and loads it.

Ref: https://portswigger.net/research/the-curl-quirk-that-exposed-burp-suite-amp-google-chrome

Steps to Reproduce

Make a request, body = @/etc/passwd
Copy as cURL
Execute the cURL on Terminal
The file at @/etc/passwd is uploaded to the server.

Current Behavior

The @ is not escaped.

Expected Behavior

Use --data-raw

Originally created by @NghiaTranUIT on GitHub (Mar 29, 2023). Original GitHub issue: https://github.com/ProxymanApp/Proxyman/issues/1588 Originally assigned to: @NghiaTranUIT on GitHub. ## Description A Security Analyst reports that the "Copy cURL" has a small security vulnerability. By using `-d` for the data, cURL automatically treats the `@` as a file, and loads it. Ref: https://portswigger.net/research/the-curl-quirk-that-exposed-burp-suite-amp-google-chrome ## Steps to Reproduce 1. Make a request, body = `@/etc/passwd` 2. Copy as cURL 3. Execute the cURL on Terminal 4. The file at `@/etc/passwd` is uploaded to the server. ## Current Behavior - The `@` is not escaped. ## Expected Behavior - Use `--data-raw`

kerem added the

bug

✅ Done

labels

2026-03-03 19:52:38 +03:00

kerem commented

2026-03-03 19:52:38 +03:00

Author

Owner

@NghiaTranUIT commented on GitHub (Mar 29, 2023):

Fixed: https://download.proxyman.io/beta/Proxyman_4.5.0_Fix_cURL_security_issue.dmg

@NghiaTranUIT commented on GitHub (Mar 29, 2023): Fixed: https://download.proxyman.io/beta/Proxyman_4.5.0_Fix_cURL_security_issue.dmg