CVE-2017-2629
Description
A coding mistake in curl's OCSP stapling always returns success, allowing man-in-the-middle to present invalid certificates without detection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A coding mistake in curl's OCSP stapling always returns success, allowing man-in-the-middle to present invalid certificates without detection.
Vulnerability
A coding mistake in curl and libcurl's TLS Certificate Status Request (OCSP stapling) feature, introduced in version 7.52.0 and present up to 7.52.1, causes the certificate validity check to always succeed, even when the server does not support the extension or fails to provide a valid proof of certificate status [1][4]. This affects the CURLOPT_SSL_VERIFYSTATUS option and the --cert-status command-line flag [1]. The bug was introduced during a code merge for HTTPS proxy support and lacked automated tests [1].
Exploitation
An attacker with a man-in-the-middle network position can exploit this vulnerability by presenting a revoked or otherwise invalid TLS certificate to a client using the affected curl versions. Because the client never properly validates the OCSP response, the attack will succeed without triggering an error [1]. The attacker only needs to intercept the TLS handshake and omit or supply a fake OCSP stapling response; the client will incorrectly treat it as valid [4].
Impact
Successful exploitation allows the attacker to impersonate any TLS server without detection, undermining the integrity and authenticity of secure communications. Users may be misled into believing a server's certificate is valid when it is not, potentially leading to data interception or manipulation [1][4].
Mitigation
The vulnerability is fixed in curl version 7.53.0, released on February 22, 2017 [1]. Users should upgrade to curl 7.53.0 or later, and applications using libcurl should be rebuilt with the fixed library [3]. There is no known workaround [3]. Affected versions: curl 7.52.0 to 7.52.1 inclusive; versions prior to 7.52.0 are not affected [1][4].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The TLS Certificate Status Request extension feature incorrectly validates certificate proof, leading to a bypass of certificate revocation checks."
Attack vector
An attacker can exploit this vulnerability by presenting a server with an invalid or unsupported TLS Certificate Status Request extension. The affected code incorrectly assumes valid proof of the server's certificate validity, even when none exists or the extension is not supported. This misleads the client into believing the server's certificate is valid, potentially allowing for man-in-the-middle attacks or the acceptance of otherwise untrusted connections [ref_id=1]. The vulnerability also affects the command-line tool when using the --cert-status option.
Affected code
The vulnerability resides in the TLS Certificate Status Request extension feature within curl and libcurl, specifically in the code responsible for checking test success or failure. The advisory points to the `lib/url.c` file and the `allocate_conn()` function as being related to this issue [ref_id=1].
What the fix does
The advisory indicates that the vulnerability is resolved with updated libraries, specifically mentioning the correction of the OCSP Stapling Validation Failure which allowed for certificate revocation bypass [ref_id=1]. While the advisory does not detail the specific code changes, it implies that the logic for validating the TLS Certificate Status Request extension has been corrected to properly identify invalid or unsupported proofs, thereby restoring proper certificate validation.
Preconditions
- networkThe client must be communicating with a server that supports or can be tricked into presenting a TLS Certificate Status Request extension.
- inputThe server's TLS Certificate Status Request extension must be invalid, unsupported, or otherwise malformed in a way that exploits the flaw in the client's validation logic.
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- security.gentoo.org/glsa/201703-04mitrevendor-advisoryx_refsource_GENTOO
- www.securityfocus.com/bid/96382mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1037871mitrevdb-entryx_refsource_SECTRACK
- bugzilla.redhat.com/show_bug.cgimitrex_refsource_CONFIRM
- curl.haxx.se/docs/adv_20170222.htmlmitrex_refsource_CONFIRM
- www.tenable.com/security/tns-2017-09mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.