CURL-CVE-2022-32206

See a problem?
Please try reporting it to the source first.
Source
https://curl.se/docs/CVE-2022-32206.html
Import Source
https://curl.se/docs/CURL-CVE-2022-32206.json
JSON Data
https://api.osv.dev/v1/vulns/CURL-CVE-2022-32206
Aliases
Published
2022-06-27T08:00:00Z
Modified
2025-05-15T17:48:29Z
Summary
HTTP compression denial of service
Details

curl supports "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.

The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.

Database specific 
{
    "CWE": {
        "desc": "Allocation of Resources Without Limits or Throttling",
        "id": "CWE-770"
    },
    "package": "curl",
    "URL": "https://curl.se/docs/CVE-2022-32206.json",
    "www": "https://curl.se/docs/CVE-2022-32206.html",
    "last_affected": "7.83.1",
    "award": {
        "amount": "2400",
        "currency": "USD"
    },
    "severity": "Medium",
    "affects": "both",
    "issue": "https://hackerone.com/reports/1570651"
}
References
Credits
    • Harry Sintonen - FINDER
    • Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type
SEMVER
Events
Introduced
7.57.0
Fixed
7.84.0
Type
GIT
Repo
https://github.com/curl/curl.git
Events
Introduced
dbcced8e32b50c068ac297106f0502ee200a1ebd
Fixed
3a09fbb7f264c67c438d01a30669ce325aa508e2

Affected versions

7.*

7.57.0
7.58.0
7.59.0
7.60.0
7.61.0
7.61.1
7.62.0
7.63.0
7.64.0
7.64.1
7.65.0
7.65.1
7.65.2
7.65.3
7.66.0
7.67.0
7.68.0
7.69.0
7.69.1
7.70.0
7.71.0
7.71.1
7.72.0
7.73.0
7.74.0
7.75.0
7.76.0
7.76.1
7.77.0
7.78.0
7.79.0
7.79.1
7.80.0
7.81.0
7.82.0
7.83.0
7.83.1