CVE-2022-32205

Exp

A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on `foo.example.com` can set cookies that also would match for `bar.example.com`, making it it possible for a "sister server" to effectively cause a denial of service for a sibling site on the same second level domain using this method.

Published: 2022-07-07 Last update: 2025-05-05 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2022-32205 is rated High Exploit Risk (61.4/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 2.19%). 1 public exploit reference(s) are indexed (Exploit-DB). Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2022-32205

EDB-ID Source Kind Published Link
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2022-32205

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-05-13 2.59% 2.19% -0.40%
2 2026-03-04 3.76% 2.59% -1.17%
3 2026-03-01 3.76%

Full EPSS history (54 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2022-32205

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
4.3 3.1 MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:L)
Might cause slowdowns, glitches, or partial disruption—not a full brick.
 2.8 1.4 [email protected]
4.3 3.1 MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:L)
Might cause slowdowns, glitches, or partial disruption—not a full brick.
 2.8 1.4 134c704f-9b21-4f2e-91b3-4a467353bcc0
4.3 2.0 MEDIUM
AV:N/AC:M/Au:N/C:N/I:N/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:N)
No confidentiality impact.
Integrity impact (I:N)
No integrity impact.
Availability impact (A:P)
Partial availability impact.
 8.6 2.9 [email protected]

Weakness enumeration for CVE-2022-32205

OS Trackers for CVE-2022-32205

vendor priority summary link
alpine CVE-2022-32205: 1 source package rows (curl); 152 state rows across 7 repos (3.17-main, 3.18-main, 3.19-main, 3.20-main, 3.21-main, 3.22-main, edge-main); fixed 7, open 145. https://security.alpinelinux.org/vuln/CVE-2022-32205
debian not yet assigned CVE-2022-32205 not yet assigned priority: Debian including 1 source packages (curl), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2022-32205
gentoo high CVE-2022-32205: 1 GLSA(s) (202212-01), 1 atom(s) (net-misc/curl); latest impact high. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2022-32205
redhat low https://access.redhat.com/security/cve/CVE-2022-32205
suse medium CVE-2022-32205 severity moderate: SUSE including 362 source package names (0.58.0.1.147:libcurl4-7.79.1-150400.5.3.1, 0.58.0.17.143:curl-7.79.1-150400.5.3.1, …), 840 product×package rows across 266 product lines (Container bci/bci-init, Container bci/dotnet-aspnet, … (266 product lines)): Fixed 619, Known Affected 111, Known Not Affected 110. https://www.suse.com/security/cve/CVE-2022-32205/
ubuntu medium CVE-2022-32205 medium priority: Ubuntu including 1 source packages (curl), 8 status rows across 8 suites (bionic, focal, impish, jammy, kinetic, trusty, upstream, xenial): not-affected 4, released 4. https://ubuntu.com/security/CVE-2022-32205

Affected software / configurations for CVE-2022-32205

Vendor Product Version Raw CPE
haxx curl >= 7.71.0, < 7.84.0 cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
fedoraproject fedora 35 cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
debian debian_linux 11.0 cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
netapp clustered_data_ontap cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*
netapp element_software cpe:2.3:a:netapp:element_software:-:*:*:*:*:*:*:*
netapp hci_management_node cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*
netapp solidfire cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*
netapp h300s_firmware cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*
netapp h500s_firmware cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*
netapp h700s_firmware cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*
netapp h410s_firmware cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*
apple macos < 13.0 cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
siemens scalance_sc622-2c_firmware < 3.0 cpe:2.3:o:siemens:scalance_sc622-2c_firmware:*:*:*:*:*:*:*:*
siemens scalance_sc626-2c_firmware < 3.0 cpe:2.3:o:siemens:scalance_sc626-2c_firmware:*:*:*:*:*:*:*:*
siemens scalance_sc632-2c_firmware < 3.0 cpe:2.3:o:siemens:scalance_sc632-2c_firmware:*:*:*:*:*:*:*:*
siemens scalance_sc636-2c_firmware < 3.0 cpe:2.3:o:siemens:scalance_sc636-2c_firmware:*:*:*:*:*:*:*:*
siemens scalance_sc642-2c_firmware < 3.0 cpe:2.3:o:siemens:scalance_sc642-2c_firmware:*:*:*:*:*:*:*:*
siemens scalance_sc646-2c_firmware < 3.0 cpe:2.3:o:siemens:scalance_sc646-2c_firmware:*:*:*:*:*:*:*:*
splunk universal_forwarder >= 8.2.0, < 8.2.12 cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*
splunk universal_forwarder >= 9.0.0, < 9.0.6 cpe:2.3:a:splunk:universal_forwarder:*:*:*:*:*:*:*:*
splunk universal_forwarder 9.1.0 cpe:2.3:a:splunk:universal_forwarder:9.1.0:*:*:*:*:*:*:*

References for CVE-2022-32205

cvelogic Threat Intelligence