CVE-2022-42916 Overview
CVE-2022-42916 is a security vulnerability in curl that allows attackers to bypass HSTS (HTTP Strict Transport Security) protection by exploiting IDN (Internationalized Domain Name) character conversion. When curl processes URLs containing certain Unicode characters, the HSTS check can be circumvented, causing the client to use insecure HTTP instead of HTTPS even when HSTS protection should enforce secure connections.
The vulnerability stems from improper handling of IDN characters during URL parsing. Specifically, an attacker can use the UTF-8 character U+3002 (IDEOGRAPHIC FULL STOP) instead of the standard ASCII period (U+002E) in domain names. During IDN conversion, these characters are replaced with their ASCII equivalents, but this conversion occurs after the HSTS check, effectively bypassing the security mechanism.
Critical Impact
Attackers can force curl to transmit sensitive data over unencrypted HTTP connections by bypassing HSTS protection, potentially exposing credentials, session tokens, and other sensitive information to network-based attackers.
Affected Products
- Haxx curl versions 7.77.0 through 7.85.0
- Fedora Project Fedora 35, 36, and 37
- Apple macOS (multiple versions)
- Splunk Universal Forwarder (multiple versions including 9.1.0)
Discovery Timeline
- 2022-10-29 - CVE CVE-2022-42916 published to NVD
- 2026-02-13 - Last updated in NVD database
Technical Details for CVE-2022-42916
Vulnerability Analysis
This vulnerability represents a protocol security bypass affecting curl's HSTS implementation. The root cause lies in the order of operations during URL processing—specifically, the HSTS lookup occurs before IDN character normalization, creating a window where specially crafted domain names can evade HSTS enforcement.
When a user or application configures curl to use HSTS (via the --hsts option or CURLOPT_HSTS API), curl maintains a cache of domains that should only be accessed via HTTPS. However, when an attacker supplies a URL containing IDN characters like the ideographic full stop (。) instead of a regular period (.), the HSTS cache lookup fails to match the entry because the characters differ at the byte level. Subsequently, the IDN conversion normalizes the domain name to ASCII, but by this point the HSTS check has already passed, allowing the connection to proceed over HTTP.
This attack requires the attacker to control or influence the URL that curl processes, which could occur through various scenarios such as URL redirection, man-in-the-middle attacks modifying responses, or applications that accept user-provided URLs.
Root Cause
The vulnerability is classified under CWE-319 (Cleartext Transmission of Sensitive Information). The root cause is a logic flaw in curl's HSTS implementation where the security check operates on the raw URL before IDN normalization. This creates a mismatch between the domain name as checked against the HSTS cache and the actual domain name after IDN processing, allowing bypass of the transport security enforcement mechanism.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker positioned on the network path can exploit this vulnerability by:
- Intercepting legitimate HTTPS redirect responses
- Modifying the redirect URL to use IDN-encoded characters that normalize to the target domain
- curl processes the crafted URL, fails to match it against the HSTS cache, and connects via HTTP
- The attacker can then intercept, read, or modify the unencrypted traffic
The exploitation leverages Unicode normalization behavior to create visually similar but technically different domain representations that bypass security checks.
Detection Methods for CVE-2022-42916
Indicators of Compromise
- Unexpected HTTP (non-HTTPS) connections to domains that should enforce HSTS
- Network traffic containing URLs with Unicode full stop characters (U+3002) in domain names
- Log entries showing curl connecting to HTTP endpoints for known HTTPS-only domains
Detection Strategies
- Monitor for curl processes initiating HTTP connections to sensitive domains that have HSTS policies
- Implement network-level inspection for URLs containing IDN characters in security-sensitive contexts
- Audit curl version deployments across infrastructure to identify vulnerable installations (7.77.0 - 7.85.0)
- Review application logs for unusual URL patterns containing non-ASCII characters in domain portions
Monitoring Recommendations
- Deploy network monitoring to flag HTTP traffic to domains with known HSTS policies
- Implement version tracking for curl installations across all systems and containers
- Configure alerting for any curl instances running versions between 7.77.0 and 7.85.0
- Monitor for IDN-related URL patterns in web application firewall logs
How to Mitigate CVE-2022-42916
Immediate Actions Required
- Upgrade curl to version 7.86.0 or later immediately on all affected systems
- Audit all applications and systems that embed or use libcurl for vulnerable versions
- Review Splunk Universal Forwarder deployments and apply vendor patches
- For macOS systems, apply the latest security updates from Apple (reference Apple Support Article HT213604 and HT213605)
Patch Information
The vulnerability was addressed in curl version 7.86.0, released on October 26, 2022. The fix ensures that IDN normalization occurs before HSTS cache lookups, eliminating the bypass vector. Organizations should upgrade to this version or later to remediate the vulnerability.
Vendor-specific patches are available:
- curl Official Security Advisory
- Gentoo GLSA 2022-12-01
- NetApp Security Advisory NTAP-20221209-0010
- Fedora packages have been updated via Fedora Package Announcements
Workarounds
- Disable HSTS support in curl if the feature is not strictly required and upgrade is not immediately possible
- Implement network-level HTTPS enforcement (e.g., firewall rules blocking HTTP to sensitive domains)
- Use application-level URL validation to reject URLs containing IDN characters before passing to curl
- Deploy TLS inspection to enforce encrypted connections regardless of client behavior
# Verify curl version and upgrade if vulnerable
curl --version | head -1
# If version is between 7.77.0 and 7.85.0, upgrade immediately
# On Debian/Ubuntu systems
sudo apt update && sudo apt upgrade curl
# On RHEL/CentOS/Fedora systems
sudo dnf update curl
# Verify the upgraded version
curl --version | head -1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
