CVE-2022-32207 Overview
CVE-2022-32207 is an insecure permissions vulnerability affecting curl versions prior to 7.84.0. When curl saves cookies, alt-svc, and HSTS data to local files, it performs an atomic operation by finalizing the write with a rename from a temporary file to the final target filename. During this rename operation, curl may inadvertently widen the permissions on the target file, potentially making the updated file accessible to more users than originally intended.
This vulnerability poses significant security concerns as it can lead to unauthorized information disclosure. Sensitive data stored in these files—including session cookies, security policy data, and HTTP Strict Transport Security (HSTS) configurations—could be exposed to unauthorized local users or processes on the same system.
Critical Impact
Sensitive cookie data, alt-svc records, and HSTS policies may become world-readable, enabling local attackers to hijack sessions or bypass security policies.
Affected Products
- haxx curl (versions prior to 7.84.0)
- fedoraproject fedora 35
- debian debian_linux 11.0
- netapp clustered_data_ontap
- netapp element_software
- netapp hci_management_node
- netapp solidfire
- netapp hci_compute_node
- apple macos
- splunk universal_forwarder
Discovery Timeline
- 2022-07-07 - CVE-2022-32207 published to NVD
- 2025-04-23 - Last updated in NVD database
Technical Details for CVE-2022-32207
Vulnerability Analysis
The vulnerability arises from improper file permission handling during curl's file persistence operations. When curl writes cookies, alt-svc, or HSTS data to disk, it employs an atomic write pattern for data integrity: first writing to a temporary file, then renaming it to the target location. However, during the rename operation, the file permission handling logic contains a flaw that can inadvertently expand the permissions beyond the originally intended restrictive mode.
This creates a race condition scenario where the final file may inherit permissions that are more permissive than the original file or the umask would normally allow. The consequence is that files containing authentication tokens, session cookies, and security transport policies become readable by users who should not have access to this sensitive data.
Root Cause
The root cause is classified under CWE-276 (Incorrect Default Permissions) and CWE-840 (Business Logic Errors). The vulnerability stems from curl's file operation logic failing to properly preserve or enforce restrictive permissions when performing the atomic rename from temporary to final target file. Instead of maintaining the intended restrictive permissions, the rename operation may reset or widen permissions based on the system's default umask or other environmental factors.
Attack Vector
The attack vector is network-accessible, though exploitation primarily occurs locally. An attacker on the same system can exploit the widened permissions to read sensitive curl data files. The attack scenario involves:
- A user or application uses curl with cookie/alt-svc/HSTS file storage features
- curl performs a write operation, creating a temporary file and renaming it
- Due to the permission flaw, the final file becomes more accessible
- A local attacker monitors for these permission changes and reads the exposed data
- The attacker extracts session cookies or security policies to hijack sessions or perform further attacks
The vulnerability does not require authentication and has no user interaction requirement, as it occurs automatically during normal curl operations. The potential for exposure of highly sensitive authentication data makes this a significant security concern in multi-user environments.
Detection Methods for CVE-2022-32207
Indicators of Compromise
- Unusual file permission changes on curl configuration files (cookies, alt-svc, HSTS files) to world-readable modes
- Unexpected read access patterns to cookie files from non-owner processes
- Evidence of session hijacking or unauthorized authentication using valid session tokens
- Anomalous file system monitoring events around curl data directories
Detection Strategies
- Implement file integrity monitoring (FIM) on curl data directories to detect permission changes
- Deploy audit logging for file permission modifications using auditd rules targeting curl-related paths
- Monitor for curl processes writing to files and immediately check resulting file permissions
- Use security scanning tools to identify curl versions below 7.84.0 across the environment
Monitoring Recommendations
- Enable file access auditing on directories containing curl cookie and configuration files
- Configure SIEM alerts for unexpected permission changes on sensitive application data files
- Implement endpoint detection rules for suspicious file permission patterns in multi-user systems
- Schedule regular vulnerability scans to identify unpatched curl installations
How to Mitigate CVE-2022-32207
Immediate Actions Required
- Upgrade curl to version 7.84.0 or later immediately
- Audit existing curl data files (cookies, alt-svc, HSTS) for improper permissions and correct them
- Review applications and scripts that use curl with file storage features and ensure they are using patched versions
- On multi-user systems, implement restrictive umask settings as a defense-in-depth measure
Patch Information
The vulnerability is fixed in curl version 7.84.0. Multiple vendors have released security updates addressing this vulnerability:
- Debian: Security advisory DSA-5197
- Fedora: Package update available via Fedora Package Announcement
- Gentoo: GLSA 202212-01
- NetApp: Security Advisory NTAP-20220915-0003
- Apple: Security Update HT213488 for macOS
For additional technical details, see the HackerOne Report #1573634.
Workarounds
- Apply restrictive umask (e.g., umask 077) before running curl operations that write to files
- Ensure curl data files are stored in directories with restrictive permissions (e.g., 700)
- Avoid using curl's file-based cookie/alt-svc/HSTS storage on shared multi-user systems until patched
- Use application-level controls to verify file permissions after curl operations complete
# Configuration example
# Apply restrictive umask before curl operations
umask 077
# Verify and fix permissions on existing curl data files
chmod 600 ~/.curl_cookies
chmod 600 ~/.curlrc
chmod 700 ~/.curl/
# Check curl version to confirm patch status
curl --version | grep -E "^curl [0-9]"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
