CVE-2014-3620
Description
libcurl before 7.38.0 allows remote attackers to bypass Same Origin Policy by setting cookies for top-level domains, potentially leaking sensitive data to unrelated sites.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
libcurl before 7.38.0 allows remote attackers to bypass Same Origin Policy by setting cookies for top-level domains, potentially leaking sensitive data to unrelated sites.
Vulnerability
CVE-2014-3620 is a vulnerability in cURL and libcurl versions 7.31.0 through 7.37.1 (inclusive). The cookie parser in these versions lacks Public Suffix List awareness and incorrectly rejects cookies for top-level domains (TLDs) when the host name is provided with a trailing dot, or accepts cookies for bare TLDs in other cases [3]. This bypasses the intended Same Origin Policy restriction, allowing a cookie set for one TLD to be sent to another unrelated site under the same TLD.
Exploitation
An attacker can exploit this by crafting a response that sets a cookie with a domain attribute of a bare TLD (e.g., .com) or by using a URL with a trailing dot TLD. No authentication or user interaction beyond visiting a specially crafted HTTP(S) response is required. The cookie engine must be opted-in by the application (not enabled by default in libcurl) [3]. The attacker does not need a man-in-the-middle position; any site that can set cookies via libcurl can trigger the issue.
Impact
A successful attack leads to information disclosure: the attacker can set a cookie that will be sent to multiple, separate domains under the same TLD. This violates the Same Origin Policy and may expose session tokens, preferences, or other sensitive data to unintended servers, potentially enabling session hijacking or cross-site scripting-like attacks [3]. The severity is rated High.
Mitigation
The fix was released in libcurl 7.38.0, which rejects cookies set for bare TLDs [3]. Users should upgrade to libcurl 7.38.0 or later. For applications that cannot be upgraded, disabling cookie support is recommended. Apple included a fix in OS X Yosemite v10.10.5 Security Update 2015-006 [1]. No workaround beyond these patches is available.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
20cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*range: <=7.37.1
- cpe:2.3:a:haxx:curl:7.31.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.32.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.33.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.34.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.35.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.36.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.37.0:*:*:*:*:*:*:*
- (no CPE)range: <7.38.0
cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:*range: <=7.37.1
- cpe:2.3:a:haxx:libcurl:7.31.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.32.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.33.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.34.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.35.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.36.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.37.0:*:*:*:*:*:*:*
- (no CPE)range: <7.38.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- curl.haxx.se/docs/adv_20140910B.htmlnvdPatchVendor Advisory
- www.debian.org/security/2014/dsa-3022nvdVendor Advisory
- support.apple.com/kb/HT205031nvdVendor Advisory
- kb.juniper.net/InfoCenter/indexnvd
- lists.apple.com/archives/security-announce/2015/Aug/msg00001.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2014-09/msg00024.htmlnvd
- www.openwall.com/lists/oss-security/2022/05/11/2nvd
- www.securityfocus.com/bid/69742nvd
News mentions
0No linked articles in our index yet.