CVE-2022-35252

Vulnerability

When curl is used to retrieve and parse cookies from an HTTP(S) server, it accepts cookies that include control codes (e.g., null bytes, carriage returns, line feeds). When these cookies are later sent back to an HTTP server, the embedded control codes may cause the server to return 400 Bad Request responses, effectively allowing a "sister site" to deny service to all siblings. This affects curl in various products, including Apple macOS Monterey 12.6.3 and macOS Big Sur 11.7.3 [1][2], and is resolved in curl versions ≥7.86.0 for Gentoo Linux [3].

Exploitation

An attacker operating a malicious HTTP server (the "sister site") can set cookies containing control codes in the Set-Cookie response. When a victim curl client subsequently sends those cookies to another HTTP server in the same domain or sibling context, the malformed cookies trigger a 400 Bad Request from the victim server. No special authentication or write access is required beyond the ability to serve arbitrary HTTP responses to the curl client.

Impact

Successful exploitation results in a denial of service (DoS) condition: the targeted HTTP server returns 400 errors for requests from the affected client, disrupting access to that server. The impact is limited to service availability; no information disclosure, privilege escalation, or remote code execution is reported.

Mitigation

Patched versions include curl 7.86.0 (or later) for Gentoo systems [3], and the relevant Apple updates in macOS Monterey 12.6.3 and macOS Big Sur 11.7.3 [1][2]. Users should upgrade to these or later versions. No workaround has been published for unpatched systems; if patching is not feasible, consider restricting the curl client's ability to interact with untrusted servers that could set malicious cookies.