CVE-2022-32205: Allocation of Resources Without Limits or Throttling (CWE-770) in https://github.com/curl/curl
A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on `foo.example.com` can set cookies that also would match for `bar.example.com`, making it it possible for a "sister server" to effectively cause a denial of service for a sibling site on the same second level domain using this method.
AI Analysis
Technical Summary
CVE-2022-32205 is a vulnerability in curl versions prior to 7.84.0 involving improper resource allocation and lack of throttling when processing HTTP Set-Cookie headers. Specifically, a malicious HTTP server can send an excessive number of Set-Cookie headers with large cookie values in its response. Curl stores all these cookies without imposing limits, which can cause subsequent HTTP requests to become excessively large. Curl internally has a threshold of 1,048,576 bytes (1 MB) to prevent sending overly large requests; when this threshold is exceeded due to accumulated cookies, curl returns an error and refuses to send the request. This results in a denial-of-service (DoS) condition for the client application relying on curl, as it cannot successfully complete HTTP requests to the affected server or any other server matching the cookie domain rules. The vulnerability is exacerbated by cookie domain matching rules, where a server on one subdomain (e.g., foo.example.com) can set cookies that also match sibling subdomains (e.g., bar.example.com). This allows a "sister server" to cause a denial of service on a sibling site within the same second-level domain by setting excessive cookies. The denial state persists as long as the cookies remain valid and unexpired. The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). It has a CVSS 3.1 base score of 4.3 (medium severity), reflecting its network attack vector, low complexity, no privileges required, but requiring user interaction and causing availability impact only. No known exploits in the wild have been reported. The issue was fixed in curl version 7.84.0 by implementing appropriate limits or throttling on cookie storage to prevent excessive resource consumption.
Potential Impact
For European organizations, this vulnerability can lead to denial of service in applications or services that rely on vulnerable versions of curl for HTTP communications. Since curl is widely used in many software products, scripts, and automated tools across industries, the impact can range from temporary service disruptions to failures in critical automated workflows that depend on HTTP requests. The denial of service is client-side, meaning the affected systems cannot successfully send requests to certain servers after receiving excessive cookies, potentially disrupting integrations, data transfers, or API calls. This can affect sectors such as finance, healthcare, government, and telecommunications, where reliable HTTP communication is essential. Moreover, the cross-subdomain cookie matching aspect can allow malicious actors controlling one subdomain to disrupt services on sibling subdomains, which may be particularly relevant for organizations managing multiple related domains or subsidiaries. While the vulnerability does not lead to data confidentiality or integrity loss, the availability impact can cause operational delays and increased troubleshooting efforts. Given the medium severity and lack of known exploits, the threat is moderate but should not be ignored, especially in environments with strict uptime requirements.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Identify all systems and applications using curl versions prior to 7.84.0, including embedded curl libraries in third-party software. 2) Upgrade curl to version 7.84.0 or later, where the vulnerability is fixed. 3) For environments where immediate upgrade is not feasible, implement network-level controls to limit or monitor HTTP responses with excessive Set-Cookie headers from untrusted or external servers. 4) Review and restrict cookie domain policies and subdomain configurations to minimize the risk of cross-subdomain cookie abuse. 5) Implement application-level timeouts and error handling to gracefully recover from curl request failures caused by this issue. 6) Monitor logs for repeated curl errors related to large cookie headers to detect potential exploitation attempts. 7) Educate developers and system administrators about this vulnerability to ensure secure coding and deployment practices involving HTTP client libraries. These measures go beyond generic advice by focusing on inventory, domain policy management, and proactive detection tailored to this specific vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
CVE-2022-32205: Allocation of Resources Without Limits or Throttling (CWE-770) in https://github.com/curl/curl
Description
A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on `foo.example.com` can set cookies that also would match for `bar.example.com`, making it it possible for a "sister server" to effectively cause a denial of service for a sibling site on the same second level domain using this method.
AI-Powered Analysis
Technical Analysis
CVE-2022-32205 is a vulnerability in curl versions prior to 7.84.0 involving improper resource allocation and lack of throttling when processing HTTP Set-Cookie headers. Specifically, a malicious HTTP server can send an excessive number of Set-Cookie headers with large cookie values in its response. Curl stores all these cookies without imposing limits, which can cause subsequent HTTP requests to become excessively large. Curl internally has a threshold of 1,048,576 bytes (1 MB) to prevent sending overly large requests; when this threshold is exceeded due to accumulated cookies, curl returns an error and refuses to send the request. This results in a denial-of-service (DoS) condition for the client application relying on curl, as it cannot successfully complete HTTP requests to the affected server or any other server matching the cookie domain rules. The vulnerability is exacerbated by cookie domain matching rules, where a server on one subdomain (e.g., foo.example.com) can set cookies that also match sibling subdomains (e.g., bar.example.com). This allows a "sister server" to cause a denial of service on a sibling site within the same second-level domain by setting excessive cookies. The denial state persists as long as the cookies remain valid and unexpired. The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). It has a CVSS 3.1 base score of 4.3 (medium severity), reflecting its network attack vector, low complexity, no privileges required, but requiring user interaction and causing availability impact only. No known exploits in the wild have been reported. The issue was fixed in curl version 7.84.0 by implementing appropriate limits or throttling on cookie storage to prevent excessive resource consumption.
Potential Impact
For European organizations, this vulnerability can lead to denial of service in applications or services that rely on vulnerable versions of curl for HTTP communications. Since curl is widely used in many software products, scripts, and automated tools across industries, the impact can range from temporary service disruptions to failures in critical automated workflows that depend on HTTP requests. The denial of service is client-side, meaning the affected systems cannot successfully send requests to certain servers after receiving excessive cookies, potentially disrupting integrations, data transfers, or API calls. This can affect sectors such as finance, healthcare, government, and telecommunications, where reliable HTTP communication is essential. Moreover, the cross-subdomain cookie matching aspect can allow malicious actors controlling one subdomain to disrupt services on sibling subdomains, which may be particularly relevant for organizations managing multiple related domains or subsidiaries. While the vulnerability does not lead to data confidentiality or integrity loss, the availability impact can cause operational delays and increased troubleshooting efforts. Given the medium severity and lack of known exploits, the threat is moderate but should not be ignored, especially in environments with strict uptime requirements.
Mitigation Recommendations
European organizations should take the following specific mitigation steps: 1) Identify all systems and applications using curl versions prior to 7.84.0, including embedded curl libraries in third-party software. 2) Upgrade curl to version 7.84.0 or later, where the vulnerability is fixed. 3) For environments where immediate upgrade is not feasible, implement network-level controls to limit or monitor HTTP responses with excessive Set-Cookie headers from untrusted or external servers. 4) Review and restrict cookie domain policies and subdomain configurations to minimize the risk of cross-subdomain cookie abuse. 5) Implement application-level timeouts and error handling to gracefully recover from curl request failures caused by this issue. 6) Monitor logs for repeated curl errors related to large cookie headers to detect potential exploitation attempts. 7) Educate developers and system administrators about this vulnerability to ensure secure coding and deployment practices involving HTTP client libraries. These measures go beyond generic advice by focusing on inventory, domain policy management, and proactive detection tailored to this specific vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- hackerone
- Date Reserved
- 2022-06-01T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d981fc4522896dcbdc248
Added to database: 5/21/2025, 9:08:47 AM
Last enriched: 7/6/2025, 11:57:29 PM
Last updated: 7/31/2025, 6:16:18 AM
Views: 16
Related Threats
CVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighCVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.