CVE-2022-32205
Description
Curl versions before 7.84.0 can be forced into a denial-of-service state by a malicious server sending excessive Set-Cookie headers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Curl versions before 7.84.0 can be forced into a denial-of-service state by a malicious server sending excessive Set-Cookie headers.
Vulnerability
A malicious server can send an excessive number of Set-Cookie headers in an HTTP response. When curl versions prior to 7.84.0 process such a response, they store all received cookies. If the accumulated cookies cause subsequent HTTP requests to exceed curl's internal size threshold of 1048576 bytes, curl returns an error instead of sending the request. This affects all curl versions before 7.84.0 [3].
Exploitation
An attacker must control a server that can respond to HTTP requests with arbitrary headers. The attacker sends a response containing a large number of Set-Cookie headers. Due to cookie matching rules, a server on foo.example.com can set cookies that match bar.example.com, allowing a sister server to trigger a denial of service on other servers within the same second-level domain. The attacker does not require authentication or user interaction beyond the initial request [3].
Impact
Successful exploitation causes a denial of service: legitimate HTTP requests to the affected server (or other matching servers) fail with an error, as long as the excessive cookies remain stored and have not expired. This can disrupt service availability for users of the targeted servers [3].
Mitigation
Upgrade to curl version 7.84.0 or later, which introduces improved cookie handling to prevent this issue. The Gentoo security advisory GLSA 202212-01 recommends upgrading to curl 7.86.0 or later [3]. No workaround is available for unpatched versions.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
5- osv-coords3 versionspkg:rpm/opensuse/curl&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/curl&distro=openSUSE%20Tumbleweedpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4
< 7.79.1-150400.5.3.1+ 2 more
- (no CPE)range: < 7.79.1-150400.5.3.1
- (no CPE)range: < 7.84.0-1.1
- (no CPE)range: < 7.79.1-150400.5.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
9- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BEV6BR4MTI3CEWK2YU2HQZUW5FAS3FEY/mitrevendor-advisory
- security.gentoo.org/glsa/202212-01mitrevendor-advisory
- www.debian.org/security/2022/dsa-5197mitrevendor-advisory
- seclists.org/fulldisclosure/2022/Oct/28mitremailing-list
- seclists.org/fulldisclosure/2022/Oct/41mitremailing-list
- cert-portal.siemens.com/productcert/pdf/ssa-333517.pdfmitre
- hackerone.com/reports/1569946mitre
- security.netapp.com/advisory/ntap-20220915-0003/mitre
- support.apple.com/kb/HT213488mitre
News mentions
0No linked articles in our index yet.