CVE-2022-32206

MEDIUM

curl < 7.84.0 - Denial of Service via Unbounded HTTP Compression Chain

Title source: llm
STIX 2.1

Description

curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.

References (11)

Core 11
Core References
Third Party Advisory vendor-advisory
https://www.debian.org/security/2022/dsa-5197
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html
Mailing List, Third Party Advisory mailing-list
http://seclists.org/fulldisclosure/2022/Oct/41
Mailing List, Third Party Advisory mailing-list
http://seclists.org/fulldisclosure/2022/Oct/28
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202212-01
Mailing List, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2023/02/15/3
Exploit, Third Party Advisory
https://hackerone.com/reports/1570651

Scores

CVSS v3 6.5
EPSS 0.0337
EPSS Percentile 87.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-770
Status published
Products (21)
debian/debian_linux 10.0
debian/debian_linux 11.0
fedoraproject/fedora 35
haxx/curl < 7.84.0
netapp/bootstrap_os
netapp/clustered_data_ontap
netapp/element_software
netapp/h300s_firmware
netapp/h410s_firmware
netapp/h500s_firmware
... and 11 more
Published Jul 07, 2022
Tracked Since Feb 18, 2026