CVE-2022-42915 is a high-severity vulnerability affecting curl versions prior to 7.86.0. The flaw is a double free vulnerability (CWE-415) triggered when curl is configured to use an HTTP proxy for transferring data using certain non-HTTP(S) URL schemes, including dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, and telnet. In such cases, curl issues a CONNECT request to the proxy to establish a tunnel to the remote server. However, if the HTTP proxy refuses the CONNECT request—commonly because proxies restrict outgoing connections to specific ports like 443 for HTTPS—and returns a non-200 HTTP status code, curl's error and cleanup handling is flawed. This improper handling can cause curl to attempt to free the same memory twice, leading to a double free condition. Double free vulnerabilities can result in undefined behavior such as application crashes, memory corruption, or potentially arbitrary code execution if exploited successfully. The vulnerability affects curl versions starting from 7.77.0 up to but not including 7.86.0. The CVSS v3.1 score is 8.1 (high), reflecting the network attack vector, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild. The vulnerability is significant because curl is widely used as a command-line tool and library for transferring data with URLs in many applications and systems, including web clients, automated scripts, and embedded devices. Exploiting this flaw could allow remote attackers to cause denial of service or potentially execute arbitrary code on affected systems if they can control the proxy response and the URL scheme used.

For European organizations, the impact of CVE-2022-42915 can be substantial due to the widespread use of curl in enterprise environments, including in automated data transfer processes, CI/CD pipelines, and networked applications. A successful exploitation could lead to service disruptions through crashes or memory corruption, compromising availability. Additionally, the potential for arbitrary code execution could allow attackers to gain unauthorized access, leading to data breaches affecting confidentiality and integrity. Organizations relying on HTTP proxies for outbound traffic, especially those restricting proxy CONNECT requests, are more exposed. This vulnerability could be leveraged in targeted attacks against critical infrastructure, financial institutions, or government agencies in Europe, where curl is embedded in many software stacks. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits given the public disclosure. The high CVSS score indicates that the vulnerability is severe and should be addressed promptly to avoid exploitation risks.

European organizations should take the following specific actions: 1) Identify all systems and applications using curl versions between 7.77.0 and 7.85.x, including embedded devices and containers. 2) Upgrade curl to version 7.86.0 or later, where the vulnerability is fixed. 3) Review proxy configurations to monitor and restrict CONNECT requests, ensuring that only necessary protocols and ports are allowed, minimizing exposure to non-HTTP(S) schemes. 4) Implement network-level monitoring to detect unusual proxy responses or connection failures that could indicate exploitation attempts. 5) For critical systems where immediate upgrade is not feasible, consider disabling or restricting use of vulnerable URL schemes (dict, gopher, ldap, rtmp, telnet, etc.) in curl commands or applications. 6) Conduct internal audits and penetration tests to verify the absence of vulnerable curl versions and to assess proxy handling of CONNECT requests. 7) Educate developers and system administrators about the risks of proxy tunneling with non-HTTP(S) protocols and encourage secure coding and configuration practices. These targeted mitigations go beyond generic patching advice by focusing on proxy configurations and protocol restrictions that are central to the vulnerability's exploitation vector.