PT-2022-5561 · Curl+11 · Curl+11
Nyymi
·
Published
2022-05-15
·
Updated
2026-05-18
·
CVE-2022-32206
CVSS v2.0
7.1
High
| Vector | AV:N/AC:M/Au:N/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
curl versions prior to 7.84.0
Description
The issue concerns the support for "chained" HTTP compression algorithms in curl, where a server response can be compressed multiple times with different algorithms. A malicious server can exploit this by inserting a virtually unlimited number of compression steps, leading to a "malloc bomb" and causing curl to spend enormous amounts of allocated heap memory or return out of memory errors. This can result in a denial of service condition.
Recommendations
For versions prior to 7.84.0, update to curl version 7.84.0 to resolve the issue. As a temporary workaround, consider restricting the use of the "chained" HTTP compression algorithms to minimize the risk of exploitation. Avoid connecting to specially-crafted servers that could insert a large number of compression steps.
Exploit
Fix
DoS
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Almalinux
Astra Linux
Centos
Ibm Aix
Linuxmint
Apple Macos
Red Hat
Rocky Linux
Suse
Ubuntu
Curl