Tim Ruehsen

**Name of the Vulnerable Software and Affected Versions** cURL versions prior to 7.38.0 libcurl versions prior to 7.38.0 **Description** The issue allows remote attackers to set cookies for or send arbitrary cookies to certain sites by not properly handling IP addresses in cookie domain names. This can be demonstrated by a site at an IP address like `192.168.0.1` setting cookies for a site at `127.168.0.1`. The flaw requires dots to be present in the IP address, which restricts it to IPv4 literal addresses or IPv6 addresses using the "dotted-quad" style. **Recommendations** For cURL versions prior to 7.38.0, update to version 7.38.0 or later to resolve the issue. For libcurl versions prior to 7.38.0, update to version 7.38.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of IP addresses in cookie domain names to minimize the risk of exploitation.