CVE-2022-32205

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions curl versions prior to 7.84.0

Description A malicious server can serve excessive amounts of Set-Cookie: headers in a HTTP response to curl. This can cause subsequent HTTP requests to become larger than the internal threshold of 1048576 bytes, resulting in an error. The denial state might remain for as long as the same cookies are kept and haven't expired. Due to cookie matching rules, a server can set cookies that also match for other servers on the same second level domain, making it possible for a "sister server" to effectively cause a denial of service for a sibling site.

Recommendations For versions prior to 7.84.0, update to curl version 7.84.0 to resolve the issue. As a temporary workaround, consider restricting the use of the Set-Cookie: header or clearing excessive cookies to minimize the risk of exploitation.

Exploit

Fix

DoS

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

ALT-PU-2022-2421

ALT-PU-2022-2588

ALT-PU-2022-2874

AZL-10101

CLEANSTART-2026-AY18527

CLEANSTART-2026-BW46578

CLEANSTART-2026-DI23929

CLEANSTART-2026-LQ42192

CLEANSTART-2026-OF85770

CVE-2022-32205

DSA-5197-1

MGASA-2022-0250

OESA-2022-1744

OPENSUSE-SU-2022_2305-1

OPENSUSE-SU-2024:12214-1

SUSE-SU-2022:2305-1

SUSE-SU-2022_2305-1

USN-5495-1

USN-5495-2

Affected Products

Alt Linux

Linuxmint

Apple Macos

Suse

Ubuntu

Curl

CVE-2022-32205

Weakness Enumeration

Related Identifiers

Affected Products

References · 311