CVE-2021-22890
Description
Curl 7.63.0 through 7.75.0 lets an HTTPS proxy bypass TLS certificate checks by confusing TLS 1.3 session tickets, enabling undetected MITM.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Curl 7.63.0 through 7.75.0 lets an HTTPS proxy bypass TLS certificate checks by confusing TLS 1.3 session tickets, enabling undetected MITM.
Vulnerability
When libcurl (built with OpenSSL or a fork) uses an HTTPS proxy with TLS 1.3, it can confuse session tickets arriving from the proxy with those from the remote server. This flaw affects curl versions 7.63.0 through 7.75.0 and does not occur with TLS 1.2 or earlier. The code, not updated for TLS 1.3's post-handshake ticket delivery, mistakenly short-cuts the host handshake using the proxy's ticket. [1]
Exploitation
An attacker must operate an HTTPS proxy that provides a TLS certificate the curl client will accept for the target server (or the client must have disabled certificate verification). During a TLS 1.3 session, the proxy sends its session ticket; libcurl treats it as if it came from the remote server, skipping proper certificate validation. No user interaction beyond normal traffic is required. [1]
Impact
A malicious HTTPS proxy can perform a man-in-the-middle (MITM) attack on the connection, intercepting or modifying traffic without the client detecting the breach. This compromises confidentiality and integrity of all data exchanged through the proxy. The attack achieves the trust level of the proxy's certificate, but if verification is ignored, any proxy can succeed. [1]
Mitigation
Curl version 7.76.0 and later fix the issue. For affected versions, the only workaround is to disable TLS 1.3 or avoid using TLS 1.3 with HTTPS proxies until upgrading is possible. [1] The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7- curl/curldescription
- osv-coords5 versionspkg:rpm/opensuse/curl&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/curl&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/curl-mini&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Micro%205.0pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2
< 7.66.0-lp152.3.15.1+ 4 more
- (no CPE)range: < 7.66.0-lp152.3.15.1
- (no CPE)range: < 7.79.1-1.1
- (no CPE)range: < 7.66.0-lp152.3.15.1
- (no CPE)range: < 7.66.0-4.14.1
- (no CPE)range: < 7.66.0-4.14.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
9- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ZC5BMIOKLBQJSFCHEDN2G2C2SH274BP/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITVWPVGLFISU5BJC2BXBRYSDXTXE2YGC/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KQUIOYX2KUU6FIUZVB5WWZ6JHSSYSQWJ/mitrevendor-advisoryx_refsource_FEDORA
- security.gentoo.org/glsa/202105-36mitrevendor-advisoryx_refsource_GENTOO
- cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfmitrex_refsource_CONFIRM
- curl.se/docs/CVE-2021-22890.htmlmitrex_refsource_MISC
- hackerone.com/reports/1129529mitrex_refsource_MISC
- security.netapp.com/advisory/ntap-20210521-0007/mitrex_refsource_CONFIRM
- www.oracle.com//security-alerts/cpujul2021.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.