CVE-2016-8615
Description
Cookie injection in curl before 7.51.0 via truncation of long cookie lines in the cookie jar file allows arbitrary-domain cookie injection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cookie injection in curl before 7.51.0 via truncation of long cookie lines in the cookie jar file allows arbitrary-domain cookie injection.
Vulnerability
A flaw in curl before version 7.51.0 allows cookie injection for arbitrary domains. The libcurl function that loads cookies into memory reads the cookie jar file line-by-line using fgets() into a fixed-size buffer. If a cookie line (name + value) is longer than the buffer, fgets() truncates the line. Crafted long cookie lines sent by a malicious HTTP server can therefore be stored and later partially read, potentially being treated as a valid cookie for a different domain [4]. The flaw affects curl versions 4.9 up to and including 7.50.3 [4].
Exploitation
An attacker must control an HTTP server that the victim's libcurl-based application will connect to, and the application must use CURLOPT_COOKIEFILE (or the -b command-line option) to read a cookie jar file that was written from a previous session. The attacker sends an HTTP response containing a cookie with an overly long name or value (exceeding the fixed buffer). This long cookie is stored in the cookie jar file. When the file is later read, fgets() truncates the line; with careful crafting, the truncated data is interpreted as a cookie for a different domain than the original server [4].
Impact
A successful injection allows an attacker to set cookies for arbitrary domains. This can lead to session fixation, cross-site request forgery, or other attacks that rely on cookies being associated with the wrong origin. The attacker does not gain code execution or direct access to the file system, but can manipulate cookie-based authentication or state in subsequent requests made by the vulnerable application [4].
Mitigation
The vulnerability is fixed in curl version 7.51.0, released on November 2, 2016 [4]. Users should upgrade curl and libcurl to 7.51.0 or later. Red Hat has backported fixes in RHSA-2018:2486 and RHSA-2018:3558 [1][2]. As a workaround, avoid using the CURLOPT_COOKIEFILE option with untrusted cookie jars. If patching is not immediately possible, do not reuse cookie files that may contain long cookie lines from malicious servers [4].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
12- osv-coords10 versionspkg:rpm/opensuse/curl&distro=openSUSE%20Tumbleweedpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP1pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP1pkg:rpm/suse/curl&distro=SUSE%20Studio%20Onsite%201.3pkg:rpm/suse/curl-openssl1&distro=SUSE%20Linux%20Enterprise%20Server%2011-SECURITY
< 7.51.0-1.1+ 9 more
- (no CPE)range: < 7.51.0-1.1
- (no CPE)range: < 7.37.0-31.1
- (no CPE)range: < 7.19.7-1.64.1
- (no CPE)range: < 7.37.0-31.1
- (no CPE)range: < 7.19.7-1.64.1
- (no CPE)range: < 7.37.0-31.1
- (no CPE)range: < 7.19.7-1.64.1
- (no CPE)range: < 7.37.0-31.1
- (no CPE)range: < 7.19.7-1.20.47.2
- (no CPE)range: < 7.19.7-1.64.1
- The Curl Project/curlv5Range: 7.51.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- access.redhat.com/errata/RHSA-2018:2486mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2018:3558mitrevendor-advisoryx_refsource_REDHAT
- security.gentoo.org/glsa/201701-47mitrevendor-advisoryx_refsource_GENTOO
- www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlmitrex_refsource_CONFIRM
- www.securityfocus.com/bid/94096mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1037192mitrevdb-entryx_refsource_SECTRACK
- bugzilla.redhat.com/show_bug.cgimitrex_refsource_CONFIRM
- curl.haxx.se/CVE-2016-8615.patchmitrex_refsource_CONFIRM
- curl.haxx.se/docs/adv_20161102A.htmlmitrex_refsource_CONFIRM
- lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3Emitremailing-listx_refsource_MLIST
- www.tenable.com/security/tns-2016-21mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.