aria2 1.33.1 Password Disclosure

aria2 version 1.33.1 suffers from a password disclosure vulnerability when logging URLs with secrets in them.

MD5 | 6faf3e5ab90997fdc7deea262c1d499c

# Exploit Title: Metadata and potential password leak in aria2
# Date: 2019-01-02
# Exploit Author: Dhiraj Mishra
# Software Link:
# Version: aria2 1.33.1
# Tested on: Linux 4.15.0-38-generic
# CVE: CVE-2019-3500

## Summary
aria2 is a lightweight multi-protocol command-line utility, which leaks
data or potential password via `--log=` attribute for HTTP based
authentication which might allow local attackers to obtain sensitive

It was observed that URL's which gets downloaded via `--log=` attribute
storeas sensitive information.
Example: aria2c --log=file https://user:[email protected]/

Thank you


*Dhiraj Mishra.*GPG ID : 51720F56 | Finger Print : 1F6A FC7B 05AA CF29
8C1C ED65 3233 4D18 5172 0F56

Related Posts