CVE-2022-27779
CVE-2022-27779
In short
libcurl incorrectly allows websites to set cookies for entire top-level domains (like .com) when the hostname has a trailing dot, potentially causing cookies meant for one site to be sent to unrelated websites.
Technical detail
CVE-2022-27779 exploits a flaw in libcurl's cookie validation logic where trailing dots in hostnames bypass TLD protection checks, allowing arbitrary cookie injection for parent domains. The vulnerability requires the attacker to control a domain and trick a user into visiting it with curl, potentially leading to credential theft or session hijacking across unrelated sites sharing the same TLD.
Summary generated and translated by AI from the official description.
libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's "cookie engine" can bebuilt with or without [Public Suffix List](https://publicsuffix.org/)awareness. If PSL support not provided, a more rudimentary check exists to atleast prevent cookies from being set on TLDs. This check was broken if thehost name in the URL uses a trailing dot.This can allow arbitrary sites to set cookies that then would get sent to adifferent and unrelated site or domain.
Affected products
n/a · https://github.com/curl/curlWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →