VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 18, 2014· Updated May 6, 2026

CVE-2014-3613

CVE-2014-3613

Description

cURL and libcurl prior to 7.38.0 improperly handle IP addresses in cookie domains, allowing cookie leakage between sites.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

cURL and libcurl prior to 7.38.0 improperly handle IP addresses in cookie domains, allowing cookie leakage between sites.

Vulnerability

In cURL and libcurl versions 4.0 through 7.37.1, improper handling of IP addresses in cookie domain names allows an attacker to set or send cookies to arbitrary sites. The issue occurs when a client accesses a site using a numerical IP address, and the site sends cookies with a partial IP address as the domain. libcurl treats the IP address as a domain name, so a site at 192.168.0.1 can set cookies for any ending with .168.0.1, potentially leaking cookies to other IPs like 129.168.0.1 [3].

Exploitation

An attacker needs to control a server accessed via its literal IP address by the victim, and that server must send cookies with a domain attribute containing a partial IP address. No authentication or user interaction beyond normal browsing is required. The vulnerability only applies to IPv4 addresses with dots or IPv6 addresses using dotted-quad notation [3].

Impact

Successful exploitation allows an attacker to force libcurl to send cookies to unintended sites or to set cookies for other sites, leading to information disclosure or session hijacking. The impact is limited to applications that use cookies with libcurl, which is opt-in by default [3].

Mitigation

The vulnerability is fixed in libcurl 7.38.0, released on September 10, 2014 [3]. Users should upgrade to version 7.38.0 or later. Red Hat issued RHSA-2015-1254 for affected RHEL versions [2]. Apple included the fix in OS X Yosemite v10.10.5 and Security Update 2015-006 [1]. No workaround exists except avoiding use of cookies with IP-based URLs.

References
  1. About the security content of OS X Yosemite v10.10.5 and Security Update 2015-006 - Apple Support
  2. http://rhn.redhat.com/errata/RHSA-2015-1254.html
  3. curl - cookie leak with IP address as domain

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

20
  • Curl/Curl9 versions
    cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*+ 8 more
    • cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*range: <=7.37.1
    • cpe:2.3:a:haxx:curl:7.31.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.32.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.33.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.34.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.35.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.36.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:curl:7.37.0:*:*:*:*:*:*:*
    • (no CPE)range: <7.38.0
  • Curl/Libcurl9 versions
    cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:*+ 8 more
    • cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:*range: <=7.37.1
    • cpe:2.3:a:haxx:libcurl:7.31.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.32.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.33.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.34.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.35.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.36.0:*:*:*:*:*:*:*
    • cpe:2.3:a:haxx:libcurl:7.37.0:*:*:*:*:*:*:*
    • (no CPE)range: <7.38.0
  • Apple Inc./Mac OS X
    cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
    Range: <=10.10.4
  • osv-coords
    pkg:rpm/opensuse/curl&distro=openSUSE%20Tumbleweed
    Range: < 7.51.0-1.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

11

News mentions

0

No linked articles in our index yet.