CVE-2022-42915

Name of the Vulnerable Software and Affected Versions curl versions 7.77.0 through 7.85.0

Description The issue is related to a double free in curl when using an HTTP proxy for a transfer with a non-HTTP(S) URL. If curl is told to use an HTTP proxy, it sets up the connection by issuing a CONNECT request to the proxy and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request and return a non-200 status code, which could trigger a double free in curl if one of the following schemes is used in the URL: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet.

Recommendations For versions 7.77.0 through 7.85.0, update to version 7.86.0 to resolve the issue. As a temporary workaround, consider avoiding the use of HTTP proxies with non-HTTP(S) URLs or restricting the use of the vulnerable schemes until a patch is available.