CVE-2022-42916

Vulnerability

In curl versions 7.77.0 through 7.85.0, the HSTS (HTTP Strict Transport Security) check can be bypassed using Internationalized Domain Names (IDN). When curl is configured with HSTS support and a URL contains IDN characters that are converted to ASCII equivalents during IDN processing—for example, using the Unicode character U+3002 (IDEOGRAPHIC FULL STOP) instead of the ASCII full stop (U+002E)—the hostname after conversion may not match the HSTS cache entry, causing curl to fall back to cleartext HTTP even when HTTPS was intended [3][4].

Exploitation

An attacker can exploit this by tricking a victim into using curl (or an application that relies on curl) to access a URL containing a specially crafted IDN hostname. The victim must have HSTS support enabled in curl, and the attacker must be able to influence the URL used (e.g., via a crafted link or redirect). The IDN conversion silently changes the hostname, causing the HSTS preload list or previously stored HSTS policy to not apply, thus allowing a man-in-the-middle to downgrade the connection to HTTP [3][4].

Impact

Successful exploitation allows a man-in-the-middle attacker to force the use of plaintext HTTP instead of HTTPS, defeating HSTS protections. This can lead to disclosure or modification of data in transit (confidentiality and integrity compromise) that the user assumed would be encrypted. The attacker gains the ability to intercept, read, or alter network traffic that should have been protected by HTTPS.

Mitigation

The vulnerability is fixed in curl version 7.86.0, released October 26, 2022 [3][4]. Users should update curl to 7.86.0 or later. Apple included the fix in macOS Ventura 13.2 and macOS Monterey 12.6.3 [1][2][3][4]. No workaround is documented for unpatched versions; disabling HSTS may be a partial mitigation but is not recommended. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of early 2025.