CVE-2022-27780

Vulnerability

The curl URL parser accepts percent-encoded URL separators such as %2F in the host name part of a URL, treating them as literal characters instead of decoding them as the path separator. This affects versions of curl prior to 7.86.0 [1]. For example, the URL http://example.com%2F127.0.0.1/ is parsed as having host example.com with a path /127.0.0.1/, while the intended host should be example.com followed by a path containing %2F. This parsing flaw can lead to URL confusion.

Exploitation

An attacker can craft a URL such as http://example.com%2F127.0.0.1/ and induce a victim or a server using curl to process it. No special privileges are required; the attacker only needs to supply the malicious URL to a curl-based client or service. The parser will accept the invalid host name and treat the percent-encoded slash as a path separator, effectively making the URL point to a different host (in this case 127.0.0.1). This can be used to bypass host-based filters, access controls, or security checks that rely on the host name.

Impact

Successful exploitation allows an attacker to cause the URL to be interpreted as targeting a different host than intended, potentially gaining access to internal resources or bypassing security controls. The impact is a violation of integrity and confidentiality as the attacker can redirect requests to unintended destinations. The severity is moderate (CVSS 5.3) and could lead to information disclosure or further attacks depending on the context.

Mitigation

The fix is included in curl version 7.86.0 and later [1]. Users should upgrade to the latest version. No known workaround exists for earlier versions [1]. Gentoo users can update via emerge --sync && emerge --ask --oneshot --verbose ">=net-misc/curl-7.86.0". The vulnerability is not listed in the Known Exploited Vulnerabilities (KEV) catalog.