The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2022-35252

CVE-2022-35252: Haxx Curl Cookie DOS Vulnerability

CVE-2022-35252 is a denial of service vulnerability in Haxx Curl where malicious cookies with control codes cause server errors. This article covers the technical details, affected versions, impact, and mitigation.

Published: February 18, 2026

CVE-2022-35252 Overview

CVE-2022-35252 is an improper input validation vulnerability in curl that allows cookies containing control codes to be accepted and stored. When these malformed cookies are subsequently sent back to HTTP servers, they may cause the servers to return HTTP 400 Bad Request responses. This behavior effectively enables a "sister site" attack where one site under a shared domain can inject malicious cookies that cause denial of service for sibling sites under the same parent domain.

Critical Impact

A malicious website sharing a cookie domain with legitimate services can inject control characters into cookies, causing denial of service for all sibling sites when the affected curl client attempts to communicate with them.

Affected Products

  • Haxx curl (versions prior to patch)
  • NetApp Clustered Data ONTAP
  • NetApp Element Software
  • NetApp HCI Management Node
  • NetApp SolidFire
  • NetApp HCI Compute Node (including H300S, H500S, H700S, H410S with firmware)
  • Apple macOS
  • Debian Linux 10.0
  • Splunk Universal Forwarder

Discovery Timeline

  • 2022-09-23 - CVE CVE-2022-35252 published to NVD
  • 2025-05-05 - Last updated in NVD database

Technical Details for CVE-2022-35252

Vulnerability Analysis

This vulnerability stems from curl's cookie parsing engine failing to properly validate and reject cookies containing ASCII control characters (bytes 0x00-0x1F and 0x7F). When curl retrieves cookies from an HTTP(S) server, the cookie parser accepts these malformed values without sanitization. The control codes are stored in curl's cookie jar and subsequently transmitted in Cookie headers on subsequent requests to matching domains.

HTTP servers conforming to RFC specifications will typically reject requests containing control characters in headers, responding with HTTP 400 Bad Request errors. This creates an asymmetric denial of service scenario where an attacker-controlled "sister site" (a site sharing the same parent domain, such as evil.example.com and legitimate.example.com) can set cookies that poison requests to all sibling sites.

Root Cause

The root cause is classified under CWE-20 (Improper Input Validation). The curl cookie parsing code did not implement sufficient validation to reject or sanitize cookie values containing control characters. HTTP cookies should contain only printable ASCII characters, but curl's parser was overly permissive in accepting arbitrary byte sequences.

Attack Vector

The attack requires network access and exploits curl's cookie handling across related domains. An attacker must control or compromise a website that shares a cookie domain with the target sites. The attack flow proceeds as follows:

  1. The attacker's malicious site sets a cookie containing embedded control characters (such as \\x01, \\x0D, or other non-printable bytes)
  2. The cookie is scoped to the parent domain (e.g., .example.com) allowing it to be sent to sibling sites
  3. When the victim's curl-based application later connects to legitimate sibling sites, the poisoned cookie is included in the request
  4. The target HTTP server rejects the malformed request with HTTP 400, denying service

The vulnerability requires no user interaction and no privileges, but the attack complexity is high as it depends on the attacker having control over a related site and the victim using a vulnerable curl version to access multiple sites on the shared domain.

Detection Methods for CVE-2022-35252

Indicators of Compromise

  • HTTP 400 Bad Request responses from servers that previously worked correctly with curl-based clients
  • Cookie jar files or cookie storage containing non-printable ASCII characters (bytes 0x00-0x1F, 0x7F)
  • Unusual patterns in web server access logs showing malformed Cookie headers
  • Multiple sibling sites under a shared domain simultaneously experiencing client connection failures

Detection Strategies

  • Implement HTTP traffic inspection to identify Cookie headers containing control characters or non-printable bytes
  • Monitor curl-based applications for elevated rates of HTTP 400 responses that may indicate cookie poisoning
  • Audit cookie storage mechanisms for the presence of binary or control character data in cookie values
  • Review web server error logs for patterns of malformed request rejections from known curl user-agents

Monitoring Recommendations

  • Configure web application firewalls to log and alert on requests with control characters in Cookie headers
  • Establish baseline metrics for HTTP 400 error rates and alert on anomalous increases affecting curl-based services
  • Monitor security advisories from curl, operating system vendors, and downstream consumers like Splunk and NetApp for patch availability

How to Mitigate CVE-2022-35252

Immediate Actions Required

  • Update curl to the latest patched version that properly validates and rejects cookies containing control characters
  • Review and update all applications and systems embedding curl as a library, including NetApp storage products and Splunk Universal Forwarder
  • Clear existing cookie jars that may contain poisoned cookies from potentially malicious sites
  • For Apple macOS users, apply updates referenced in Apple Support Article HT213603 and Apple Support Article HT213604

Patch Information

Multiple vendors have released patches addressing this vulnerability. Key resources include:

  • HackerOne Report #1613943 - Original vulnerability report
  • NetApp Security Advisory ntap-20220930-0005 - NetApp product updates
  • Gentoo GLSA 202212-01 - Gentoo Linux security update
  • Debian LTS Announcement January 2023 - Debian security update

Workarounds

  • Implement server-side cookie validation to reject cookies containing control characters before they reach curl-based clients
  • Configure network security controls to inspect and block HTTP Set-Cookie responses containing non-printable characters
  • Isolate curl-based applications from accessing untrusted sites that share cookie domains with critical services
  • Consider using cookie jars scoped to specific trusted domains rather than accepting all cookies
bash
# Example: Check curl version to verify patch status
curl --version

# Example: Clear potentially poisoned cookie jar
rm -f ~/.curl_cookies
rm -f /path/to/application/cookie_jar.txt

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechHaxx Curl
  • SeverityLOW
  • CVSS Score3.7
  • EPSS Probability0.10%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
  • Impact Assessment
  • ConfidentialityHigh
  • IntegrityNone
  • AvailabilityLow
  • CWE References
  • CWE-20
  • NVD-CWE-noinfo
  • Technical References
  • Full Disclosure January 20, 2023
  • Full Disclosure January 21, 2023
  • HackerOne Report #1613943
  • Debian LTS Announcement January 2023
  • Gentoo GLSA 202212-01
  • NetApp Security Advisory ntap-20220930-0005
  • Apple Support Article HT213603
  • Apple Support Article HT213604
  • Related CVEs
  • CVE-2024-2004: Haxx Curl DOS Vulnerability
  • CVE-2025-5399: Haxx Curl WebSocket DoS Vulnerability
  • CVE-2022-32206: Haxx Curl DOS Vulnerability
  • CVE-2022-32205: Haxx Curl Set-Cookie DOS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English