CURL-CVE-2022-27780

See a problem?
Please try reporting it to the source first.
Source
https://curl.se/docs/CVE-2022-27780.html
Import Source
https://curl.se/docs/CURL-CVE-2022-27780.json
JSON Data
https://api.test.osv.dev/v1/vulns/CURL-CVE-2022-27780
Aliases
Published
2022-05-11T08:00:00Z
Modified
2025-05-15T17:48:29Z
Summary
percent-encoded path separator in URL host
Details

The curl URL parser wrongly accepts percent-encoded URL separators like '/' when decoding the hostname part of a URL, making it a different URL using the wrong hostname when it is later retrieved.

For example, a URL like http://example.com%2F10.0.0.1/, would be allowed by the parser and get transposed into http://example.com/10.0.0.1/. This flaw can be used to circumvent filters, checks and more.

Database specific 
{
    "affects": "both",
    "last_affected": "7.83.0",
    "CWE": {
        "desc": "Improper Handling of URL Encoding",
        "id": "CWE-177"
    },
    "issue": "https://hackerone.com/reports/1553841",
    "package": "curl",
    "www": "https://curl.se/docs/CVE-2022-27780.html",
    "award": {
        "currency": "USD",
        "amount": "2400"
    },
    "URL": "https://curl.se/docs/CVE-2022-27780.json",
    "severity": "Medium"
}
References
Credits
    • Axel Chong - FINDER
    • Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type
SEMVER
Events
Introduced
7.80.0
Fixed
7.83.1
Type
GIT
Repo
https://github.com/curl/curl.git
Events
Introduced
9a8564a920188e49d5bd8c1c8573ddef97f6e03a
Fixed
914aaab9153764ef8fa4178215b8ad89d3ac263a

Affected versions

7.*

7.80.0
7.81.0
7.82.0
7.83.0

Database specific 

{
    "vanir_signatures": [
        {
            "source": "https://github.com/curl/curl.git/commit/914aaab9153764ef8fa4178215b8ad89d3ac263a",
            "signature_type": "Function",
            "signature_version": "v1",
            "deprecated": false,
            "target": {
                "file": "lib/urlapi.c",
                "function": "hostname_check"
            },
            "digest": {
                "length": 1399.0,
                "function_hash": "175578244964680735291736576270402210988"
            },
            "id": "CURL-CVE-2022-27780-5e408e0f"
        },
        {
            "source": "https://github.com/curl/curl.git/commit/914aaab9153764ef8fa4178215b8ad89d3ac263a",
            "signature_type": "Line",
            "signature_version": "v1",
            "deprecated": false,
            "target": {
                "file": "lib/urlapi.c"
            },
            "digest": {
                "line_hashes": [
                    "199957627763592549612385795254149834550",
                    "151428187081067779662697927472516771049",
                    "119160317506403307842112826299814095034",
                    "25289416254833179104566548130852379552"
                ],
                "threshold": 0.9
            },
            "id": "CURL-CVE-2022-27780-fb7e3e79"
        }
    ]
}