CVE-2022-43551 Overview
A vulnerability exists in curl versions prior to 7.87.0 that allows HTTP Strict Transport Security (HSTS) protections to be bypassed through Internationalized Domain Name (IDN) character manipulation. When curl's HSTS support is enabled, it should enforce HTTPS connections even when HTTP URLs are provided. However, an attacker can bypass this security mechanism by crafting URLs that use IDN characters which get normalized to ASCII counterparts during the IDN conversion process.
The core issue lies in how curl stores and retrieves HSTS state information. When a domain containing IDN characters (such as the UTF-8 character U+3002 IDEOGRAPHIC FULL STOP instead of the common ASCII full stop U+002E .) is processed, curl stores the HSTS information in its IDN-encoded form but looks it up in IDN-decoded form. This mismatch causes subsequent requests to fail HSTS detection, resulting in clear-text HTTP transfers that expose sensitive data to potential interception.
Critical Impact
Attackers can force curl-based applications to transmit sensitive data over unencrypted HTTP connections by exploiting the IDN encoding mismatch, potentially enabling man-in-the-middle attacks and data interception.
Affected Products
- Haxx curl (versions prior to 7.87.0)
- Fedora Project Fedora 37
- NetApp Active IQ Unified Manager (VMware vSphere and Windows)
- NetApp OnCommand Insight
- NetApp OnCommand Workflow Automation
- NetApp SnapCenter
- Splunk Universal Forwarder
Discovery Timeline
- 2022-12-23 - CVE-2022-43551 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-43551
Vulnerability Analysis
This vulnerability is classified as CWE-319 (Cleartext Transmission of Sensitive Information). The flaw enables attackers to circumvent HSTS protections that are designed to prevent protocol downgrade attacks. When a user or application attempts to connect to a domain using curl with HSTS enabled, the library should automatically upgrade insecure HTTP connections to HTTPS based on previously stored HSTS policies.
The vulnerability occurs because curl's HSTS implementation has inconsistent handling of Internationalized Domain Names. During the initial HSTS policy storage, the domain name is stored in its IDN-encoded (Punycode) representation. However, when checking whether HSTS should be applied to subsequent requests, curl looks up the domain in its IDN-decoded (Unicode) form. This asymmetry creates a window where crafted domain names can evade HSTS enforcement entirely.
Root Cause
The root cause is an inconsistent encoding strategy in curl's HSTS state management. The library stores HSTS records using IDN-encoded domain names but performs lookups using IDN-decoded representations. This encoding mismatch means that domains containing certain Unicode characters that map to ASCII equivalents during IDN conversion will never match their stored HSTS records, effectively nullifying the HSTS protection for those domains.
Attack Vector
The attack can be performed over the network without requiring authentication or user interaction. An attacker can exploit this vulnerability by:
- Convincing a victim's curl-based application to visit a malicious URL containing IDN characters (e.g., using U+3002 IDEOGRAPHIC FULL STOP instead of ASCII period)
- The initial request may establish an HSTS policy, but due to the encoding mismatch, the policy is stored inconsistently
- Subsequent requests to what appears to be the same domain (using different Unicode representations) bypass HSTS checking
- The connection proceeds over unencrypted HTTP, allowing the attacker to intercept or modify transmitted data
The attack exploits the visual similarity between certain Unicode characters and their ASCII counterparts, combined with curl's internal encoding inconsistencies. For example, an attacker could craft a URL like http://example。com (using the IDEOGRAPHIC FULL STOP) which visually resembles http://example.com but is processed differently by curl's HSTS mechanism.
Detection Methods for CVE-2022-43551
Indicators of Compromise
- Unexpected HTTP traffic to domains that should be protected by HSTS policies
- Network logs showing clear-text HTTP connections to sensitive endpoints where HTTPS was expected
- URLs containing unusual Unicode characters in domain names, particularly alternative period characters like U+3002, U+FF0E, or U+FF61
- Certificate validation errors followed by successful unencrypted connections to the same apparent domain
Detection Strategies
- Monitor network traffic for HTTP connections to domains that have established HSTS policies in browser or application stores
- Implement DNS monitoring to detect requests for domains containing IDN characters that normalize to sensitive internal domain names
- Deploy network inspection tools to flag clear-text HTTP traffic to known high-value domains
- Review application logs for curl connections that unexpectedly fall back to HTTP despite HSTS being configured
Monitoring Recommendations
- Enable verbose logging for curl-based applications to capture connection protocol details
- Implement TLS inspection at network boundaries to identify potential HSTS bypass attempts
- Configure SIEM rules to alert on HTTP traffic patterns that indicate possible protocol downgrade attacks
- Regularly audit curl versions deployed across infrastructure to ensure patched versions are in use
How to Mitigate CVE-2022-43551
Immediate Actions Required
- Upgrade curl to version 7.87.0 or later, which contains the fix for this vulnerability
- Audit all systems and applications that bundle or depend on libcurl to identify vulnerable instances
- Review network configurations to ensure HTTPS-only policies are enforced at the network layer as an additional defense
- Consider implementing certificate pinning for critical connections as a supplementary security measure
Patch Information
The vulnerability has been addressed in curl version 7.87.0 and later releases. Organizations should update to the latest stable version of curl to receive this fix along with other security improvements. Multiple Linux distributions have released updated packages containing the patched curl version.
For detailed security advisories and patch information, refer to:
- HackerOne Report #1755083
- Gentoo GLSA 202310-12
- NetApp Security Advisory ntap-20230427-0007
- Fedora Package Announcement
Workarounds
- Force HTTPS at the application level by validating and rewriting all URLs before passing them to curl
- Implement URL normalization that converts IDN characters to their ASCII equivalents before HSTS lookups
- Deploy a web proxy that enforces HTTPS connections independent of client-side HSTS state
- Use network-level controls to block HTTP traffic to sensitive domains as a compensating control
# Example: Verify curl version and force HTTPS protocol
curl --version | head -1
# Ensure version is 7.87.0 or higher
# Force HTTPS connections at the application level
curl --proto '=https' https://example.com/api/endpoint
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
