CVE-2022-32221

Name of the Vulnerable Software and Affected Versions libcurl versions prior to 7.86.0

Description When doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT READFUNCTION) to ask for data to send, even when the CURLOPT POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent POST request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.

Recommendations Update to libcurl version 7.86.0 or later to resolve the issue. As a temporary workaround, consider disabling the CURLOPT READFUNCTION callback when switching from a PUT to a POST request to minimize the risk of exploitation. Restrict access to the CURLOPT READFUNCTION callback to prevent unauthorized use. Avoid reusing handles for different types of requests to prevent confusion between PUT and POST requests.