CURL-CVE-2014-3620

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2014-3620.html

Import Source

https://curl.se/docs/CURL-CVE-2014-3620.json

JSON Data

https://api.osv.dev/v1/vulns/CURL-CVE-2014-3620

Aliases

CVE-2014-3620

Published

2014-09-10T08:00:00Z

Modified

2026-05-27T02:29:27.831653Z

Summary

cookie leak for TLDs

Details

libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus making them apply broader than cookies are allowed. This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain.

Database specific

{
    "severity": "High",
    "www": "https://curl.se/docs/CVE-2014-3620.html",
    "CWE": {
        "id": "CWE-201",
        "desc": "Information Exposure Through Sent Data"
    },
    "URL": "https://curl.se/docs/CVE-2014-3620.json",
    "affects": "both",
    "package": "curl",
    "last_affected": "7.37.1"
}

References

Credits

- Tim Ruehsen - FINDER
- Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

7.31.0

Fixed

7.38.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

85b9dc80232d1d7d48ee4dea6db5a2263ee68efd

Fixed

a76825a5efa6b41d3a1d4f275dada2f017f6f566

Affected versions

7.*

7.31.0

7.32.0

7.33.0

7.34.0

7.35.0

7.36.0

7.37.0

7.37.1

Other

curl-7_31_0

curl-7_32_0

curl-7_33_0

curl-7_34_0

curl-7_35_0

curl-7_36_0

curl-7_37_0

curl-7_37_1

Database specific

source

"https://curl.se/docs/CURL-CVE-2014-3620.json"

vanir_signatures_modified

"2026-05-27T02:29:27Z"

vanir_signatures

[
    {
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/curl/curl.git/commit/a76825a5efa6b41d3a1d4f275dada2f017f6f566",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "37427175837161603727402837893850884207",
                "57078580031252356122054128959790165040",
                "57610869871746178693586270261540026008",
                "264650330124006555882506950221627293740",
                "158063382807229582267971963380867257653",
                "127624980743193691609132514435589490983",
                "303745661566892262755879777628873642030"
            ]
        },
        "id": "CURL-CVE-2014-3620-0bc9e96c",
        "deprecated": false,
        "target": {
            "file": "lib/cookie.c"
        }
    },
    {
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/curl/curl.git/commit/a76825a5efa6b41d3a1d4f275dada2f017f6f566",
        "digest": {
            "function_hash": "278933965437113816845312027126601948095",
            "length": 7230.0
        },
        "id": "CURL-CVE-2014-3620-571995f9",
        "deprecated": false,
        "target": {
            "file": "lib/cookie.c",
            "function": "Curl_cookie_add"
        }
    }
]