CVE-2022-32205 Overview
CVE-2022-32205 is a Resource Exhaustion vulnerability affecting curl versions prior to 7.84.0. A malicious server can exploit this flaw by serving an excessive number of Set-Cookie: headers in HTTP responses, which curl stores without proper limits. When a sufficiently large volume of oversized cookies accumulates, subsequent HTTP requests to the affected server—or any other servers matching the cookie domain rules—exceed curl's internal request size threshold of 1,048,576 bytes, causing the application to return an error instead of completing the request.
This denial of service condition persists as long as the offending cookies remain stored, match the target domain, and haven't expired. The vulnerability is particularly concerning due to HTTP cookie matching rules: a server on foo.example.com can set cookies that also match bar.example.com, enabling a malicious "sister server" to effectively cause denial of service for sibling sites on the same second-level domain.
Critical Impact
Applications using vulnerable curl versions can be rendered unable to communicate with legitimate services due to cookie-induced request size limit violations, enabling cross-subdomain denial of service attacks.
Affected Products
- Haxx curl versions prior to 7.84.0
- Apple macOS (multiple versions)
- Fedora 35
- Debian Linux 11.0
- NetApp ONTAP, Element Software, HCI Management Node, SolidFire
- NetApp H-Series (H300S, H500S, H700S, H410S) firmware
- Siemens SCALANCE SC-600 family firmware
- Splunk Universal Forwarder
Discovery Timeline
- 2022-07-07 - CVE-2022-32205 published to NVD
- 2025-05-05 - Last updated in NVD database
Technical Details for CVE-2022-32205
Vulnerability Analysis
The vulnerability stems from curl's cookie handling mechanism, which lacks adequate restrictions on the total volume of cookies that can be stored from a single server response. When a malicious server includes numerous or large Set-Cookie: headers in its HTTP responses, curl dutifully stores all of them without enforcing reasonable limits on the accumulated cookie data size.
The attack becomes effective when the cumulative size of cookies that would be sent with a subsequent request exceeds curl's hardcoded maximum request size threshold of 1,048,576 bytes. At this point, curl refuses to send the request, returning an error to the calling application. This effectively prevents the application from communicating with any server that matches the stored cookie domains.
The cross-subdomain impact amplifies the severity: due to standard cookie scoping rules in HTTP, cookies set for a parent domain or sibling subdomain can affect requests to other subdomains under the same second-level domain. This allows an attacker controlling one subdomain to disrupt curl-based applications' ability to communicate with entirely different services on related subdomains.
Root Cause
The root cause is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). Curl's cookie jar implementation did not enforce proper limits on the number or cumulative size of cookies that could be stored from HTTP responses. Without such limits, the cookie storage grows unbounded until it triggers the request size threshold protection, which then manifests as a denial of service rather than gracefully handling the oversized cookie situation.
Attack Vector
The attack requires network access and user interaction to be successful. An attacker must either control a malicious server that the victim's curl-based application connects to, or compromise an existing server to inject malicious Set-Cookie: headers into its responses.
The attack flow proceeds as follows:
- The victim application makes an HTTP request to the attacker-controlled or compromised server
- The server responds with a large number of Set-Cookie: headers, potentially setting cookies for sibling subdomains
- Curl stores all cookies without size validation
- Subsequent requests to any domain matching the stored cookies fail when the accumulated cookie size exceeds the 1MB threshold
- The denial condition persists until cookies are manually cleared or expire
This vulnerability does not allow data exfiltration or code execution, but can significantly disrupt application availability and functionality.
Detection Methods for CVE-2022-32205
Indicators of Compromise
- HTTP responses containing an unusually high number of Set-Cookie: headers (dozens or hundreds per response)
- Curl-based applications suddenly failing with request size errors when communicating with previously functional servers
- Abnormally large cookie jar files or memory consumption in applications using libcurl
- Error messages referencing requests exceeding internal size limits
Detection Strategies
- Monitor HTTP traffic for responses with excessive Set-Cookie: header counts from untrusted or unusual sources
- Implement application-level logging to detect curl error codes related to request size limits (CURLE_REQ_SIZE)
- Track cookie jar growth over time and alert on sudden increases
- Deploy network intrusion detection rules to flag responses with anomalous cookie header patterns
Monitoring Recommendations
- Establish baseline metrics for typical cookie counts and sizes in your environment
- Configure alerts for curl-based applications experiencing repeated connection failures to specific domains
- Monitor server logs for patterns indicating potential cookie-based DoS attempts
- Implement periodic cookie jar size auditing for long-running curl-based services
How to Mitigate CVE-2022-32205
Immediate Actions Required
- Upgrade curl to version 7.84.0 or later, which implements proper cookie storage limits
- For systems where immediate patching is not possible, implement network-level controls to restrict connections to trusted servers only
- Review and audit any curl-based applications that connect to untrusted or user-specified URLs
- Consider implementing application-level cookie jar size limits as an additional defense layer
Patch Information
The fix was released in curl version 7.84.0. Multiple vendors have released their own advisories and patches:
- Haxx (curl): Upgrade to version 7.84.0 or later
- Apple: Security update available per Apple Support Document HT213488
- Debian: DSA-5197 security advisory
- Siemens: SSA-333517 advisory for SCALANCE devices
- NetApp: Security Advisory ntap-20220915-0003
- Gentoo: GLSA 202212-01
Additional details are available via the HackerOne Report.
Workarounds
- If upgrading is not immediately possible, configure network firewalls to block or limit connections to untrusted servers
- Implement application-level controls to clear cookie jars periodically or after connecting to untrusted domains
- Use curl's --cookie-jar option with a fresh file for each untrusted connection to isolate potential malicious cookies
- Consider using curl's --max-filesize option where applicable to limit response sizes
# Example: Using isolated cookie jars for untrusted connections
curl --cookie-jar /tmp/isolated_cookies_$$.txt \
--max-time 30 \
https://untrusted-server.example.com/
# Clean up isolated cookie jar after use
rm -f /tmp/isolated_cookies_$$.txt
# For long-running services, implement periodic cookie jar rotation
# in your application configuration or wrapper scripts
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
