How serious is CVE-2022-32221?

This vulnerability has a CVSS score of 9.8 out of 10, classified as CRITICAL severity. Proof-of-concept exploit code is publicly available, making this an active threat.

Is there exploit code available for CVE-2022-32221?

Yes, proof-of-concept exploit code for CVE-2022-32221 is publicly available on GitHub and security research platforms. This increases the risk of active exploitation.

Which products are affected by CVE-2022-32221?

CVE-2022-32221 affects haxx curl. Check the full CVE details for specific version information.

How do I fix CVE-2022-32221?

To remediate CVE-2022-32221, check for security patches from haxx. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2022-32221

Critical

|9.8

Exploit Available

Plain English Summary

AI-powered analysis for quick understanding

This vulnerability allows an attacker to manipulate data sent in a POST request by exploiting a flaw in how the curl library handles reused connections, potentially leading to the wrong data being sent or causing the application to crash. It occurs when a connection that was previously used for a PUT request is reused for a POST request without properly resetting the data handling, which could happen in applications that frequently switch between these types of requests.

Technical Description

When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.

CVSS Vector Analysis

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

Confidentiality ImpactHigh

Integrity ImpactHigh

Availability ImpactHigh

ScopeUnchanged

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$13,000($5K-$15K)

Vendor Response

Grade FPatched in 1165 days

Quick Information

Published

Dec 5, 2022

about 3 years ago

Last Modified

Feb 13, 2026

7 days ago

Vendor

haxx

Product

curl

Related Vulnerabilities

CVE-2023-28322Low

This vulnerability allows an attacker to potentially send incorrect data during an HTTP POST request if the same connection handle was previously used for a PUT request, which could lead to unexpected application behavior. It mainly affects applications that reuse connection handles without properly resetting them, making it important for developers to be cautious when switching between different types of requests.

CVE-2023-27533High

An attacker can exploit a vulnerability in curl to send malicious commands during TELNET communication, potentially allowing them to execute arbitrary code on the system. This can happen if an application using curl accepts user input without properly checking it, making it particularly risky for applications that rely on user-provided data.

CVE-2023-23915Medium

This vulnerability allows an attacker to potentially intercept sensitive information during data transfers because the curl tool may fail to upgrade certain HTTP requests to secure HTTPS when multiple requests are made at the same time. This issue occurs only when using curl versions prior to 7.88.0 and can lead to unprotected data being sent over the internet instead of the intended secure connection.

CVE-2022-43551High

An attacker can trick curl into using an insecure HTTP connection instead of the intended secure HTTPS by manipulating the URL with special characters that confuse the software's security checks. This vulnerability occurs when the URL contains IDN characters that are converted to ASCII, allowing the attacker to bypass the HSTS protection that should enforce secure connections.

CVE-2022-42916High

This vulnerability allows an attacker to trick curl into using an insecure HTTP connection instead of the intended secure HTTPS connection by manipulating the URL with special characters. This can happen when the URL includes international domain names that get converted to ASCII, making it possible for the attacker to bypass security checks designed to enforce HTTPS.