CURL-CVE-2022-32206

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2022-32206.html

Import Source

https://curl.se/docs/CURL-CVE-2022-32206.json

JSON Data

https://api.test.osv.dev/v1/vulns/CURL-CVE-2022-32206

Aliases

CVE-2022-32206

Published

2022-06-27T08:00:00Z

Modified

2025-05-15T17:48:29Z

Summary

HTTP compression denial of service

Details

curl supports "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.

The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.

Database specific

{
    "award": {
        "amount": "2400",
        "currency": "USD"
    },
    "www": "https://curl.se/docs/CVE-2022-32206.html",
    "last_affected": "7.83.1",
    "CWE": {
        "desc": "Allocation of Resources Without Limits or Throttling",
        "id": "CWE-770"
    },
    "package": "curl",
    "severity": "Medium",
    "affects": "both",
    "URL": "https://curl.se/docs/CVE-2022-32206.json",
    "issue": "https://hackerone.com/reports/1570651"
}

References

Credits

- Harry Sintonen - FINDER
- Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

7.57.0

Fixed

7.84.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

dbcced8e32b50c068ac297106f0502ee200a1ebd

Fixed

3a09fbb7f264c67c438d01a30669ce325aa508e2

Affected versions

7.*

7.57.0

7.58.0

7.59.0

7.60.0

7.61.0

7.61.1

7.62.0

7.63.0

7.64.0

7.64.1

7.65.0

7.65.1

7.65.2

7.65.3

7.66.0

7.67.0

7.68.0

7.69.0

7.69.1

7.70.0

7.71.0

7.71.1

7.72.0

7.73.0

7.74.0

7.75.0

7.76.0

7.76.1

7.77.0

7.78.0

7.79.0

7.79.1

7.80.0

7.81.0

7.82.0

7.83.0

7.83.1

Database specific

{
    "vanir_signatures": [
        {
            "signature_version": "v1",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "45157733837481580733201877978631346553",
                    "289994305010963280595464022725692321783",
                    "285418258574578001939871387444273795700",
                    "36972230101229254421458880172651761630",
                    "258485294902386500308213611257281103675",
                    "223508019877366983451146801494110424292",
                    "111336570175832252860899159343638748825",
                    "306740132958412367269024066267076989494",
                    "249434907631169292432704525991203976794",
                    "24000321900336010795433163882969240477"
                ]
            },
            "source": "https://github.com/curl/curl.git/commit/3a09fbb7f264c67c438d01a30669ce325aa508e2",
            "deprecated": false,
            "target": {
                "file": "lib/content_encoding.c"
            },
            "signature_type": "Line",
            "id": "CURL-CVE-2022-32206-2afb59a3"
        },
        {
            "signature_version": "v1",
            "digest": {
                "length": 874.0,
                "function_hash": "135163556199857411550722417587621050098"
            },
            "source": "https://github.com/curl/curl.git/commit/3a09fbb7f264c67c438d01a30669ce325aa508e2",
            "deprecated": false,
            "target": {
                "file": "lib/content_encoding.c",
                "function": "Curl_build_unencoding_stack"
            },
            "signature_type": "Function",
            "id": "CURL-CVE-2022-32206-c8d05009"
        }
    ]
}