CVE-2022-42916

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions curl versions 7.77.0 through 7.85.0

Description The issue is related to the HSTS check in curl, which can be bypassed to trick it into staying with HTTP. This can happen when the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion. For example, using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0.

Recommendations For versions 7.77.0 through 7.85.0, update to version 7.86.0 to resolve the issue. As a temporary workaround, consider avoiding the use of IDN characters in URLs until the issue is resolved. Restrict access to sensitive information to minimize the risk of exploitation.

Fix

Cleartext Transmission of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-319

Related Identifiers

ALT-PU-2022-2989

ALT-PU-2022-3017

ALT-PU-2022-3042

AZL-11369

AZL-38722

BDU:2022-06692

CLEANSTART-2026-AY18527

CLEANSTART-2026-BW46578

CLEANSTART-2026-DI23929

CLEANSTART-2026-LQ42192

CLEANSTART-2026-OF85770

CVE-2022-42916

JLSEC-2026-399

OESA-2022-2041

OPENSUSE-SU-2022_3785-1

OPENSUSE-SU-2024:12447-1

RHSA-2022:8840

SUSE-SU-2022:3785-1

USN-5702-1

Affected Products

Alt Linux

Debian

Linuxmint

Apple Macos

Red Os

Suse

Ubuntu

Virtualbox

Curl

CVE-2022-42916

Weakness Enumeration

Related Identifiers

Affected Products

References · 321