CVE-2022-43551

Vulnerability

A vulnerability in curl versions prior to 7.87.0 allows the HSTS (HTTP Strict Transport Security) mechanism to be bypassed when a URL contains Internationalized Domain Name (IDN) characters that are converted to ASCII equivalents during IDN processing. Specifically, using the Unicode character U+3002 (IDEOGRAPHIC FULL STOP) instead of the ASCII full stop (U+002E) . can trick curl into storing the HSTS state IDN-encoded but looking it up IDN-decoded, thereby failing to enforce HTTPS on subsequent requests [1], [2].

Exploitation

An attacker who can control or influence a URL presented to curl (e.g., via a redirect or a malicious link) can craft a hostname containing an IDN homoglyph such as U+3002. When curl processes the URL, it performs IDN conversion to ASCII but stores the HSTS information in the encoded form. On a later request to the same logical host, curl looks up the HSTS state using the decoded form, finds no match, and falls back to plain HTTP. No authentication or special network position is required beyond the ability to trigger curl requests [1].

Impact

Successful exploitation results in the client communicating with the server over unencrypted HTTP instead of HTTPS, despite HSTS policy being in place. This allows an attacker on the network path to intercept, read, or modify the data in transit, undermining confidentiality and integrity. The attacker does not gain arbitrary code execution or elevated privileges, but can perform man-in-the-middle attacks [1], [2].

Mitigation

The fixed version is curl 7.87.0 (released December 21, 2022). Users should upgrade to curl >=7.87.0. For systems where an immediate upgrade is not possible, disabling HSTS or carefully validating IDNs can be considered, though no explicit workaround is documented in the references. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of this writing [1], [2].