CVE-2022-35252 is a vulnerability in the curl tool, specifically related to its handling of cookies retrieved from HTTP(S) servers. Curl is a widely used command-line tool and library for transferring data with URLs, supporting numerous protocols including HTTP and HTTPS. The vulnerability stems from improper input validation (CWE-20) when curl parses cookies containing control codes. These control codes, when accepted and later sent back to an HTTP server, can cause the server to respond with HTTP 400 (Bad Request) errors. This behavior can be exploited by a "sister site"—a site related or connected to the target server—to effectively deny service to all sibling sites by causing their HTTP requests to be rejected. The issue was fixed in curl version 7.85.0. The CVSS v3.1 base score is 3.7, indicating a low severity vulnerability. The attack vector is network-based (AV:N), requires high attack complexity (AC:H), no privileges (PR:N), no user interaction (UI:N), and impacts only availability (A:L) with no confidentiality or integrity impact. No known exploits are reported in the wild. The vulnerability primarily affects systems using vulnerable versions of curl that handle cookies from HTTP(S) servers, which is common in many automated scripts, CI/CD pipelines, and software relying on curl for HTTP communications.

For European organizations, the impact of this vulnerability is generally low but non-negligible. Organizations relying on curl for automated HTTP interactions, especially those that handle multiple related web services or microservices communicating via HTTP cookies, could experience service disruptions. The denial of service is indirect and requires a malicious or compromised "sister site" to send crafted cookies that trigger HTTP 400 errors on sibling sites. This could affect web services, APIs, or internal tools that depend on curl for cookie management. While the vulnerability does not compromise confidentiality or integrity, availability disruptions could impact business operations, particularly for organizations with complex web service architectures or those using curl in critical automation workflows. Since exploitation requires network access and high attack complexity, the risk is mitigated but still relevant for high-value targets or environments with interconnected web services.

European organizations should ensure that all systems using curl are updated to version 7.85.0 or later, where this vulnerability is fixed. Beyond patching, organizations should audit their use of curl in automation scripts, CI/CD pipelines, and web service interactions to identify any reliance on cookie handling that could be exploited. Network segmentation and strict access controls can limit exposure to potentially malicious "sister sites." Implementing web application firewalls (WAFs) or HTTP request validation to detect and block malformed cookies or suspicious HTTP requests can further reduce risk. Monitoring HTTP 400 error rates and correlating with cookie data may help detect attempted exploitation. Additionally, organizations should review their cookie policies and ensure that cookie inputs are sanitized or validated before being processed or forwarded by curl-based tools.