CVE-2022-43551 [High] | Security Bypass in Curl

A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.

EDB-ID	Source	Kind	Published	Link
—	nvd_ref	exploit_tag		Exploit-DB ↗

EDB-ID

Source

Kind

Published

Link

—

nvd_ref

exploit_tag

Exploit-DB ↗

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2025-12-27	0.07%	0.04%	-0.03%
2	2025-12-24	0.03%	0.07%	+0.04%
3	2025-11-21	—	0.03%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2025-12-27

0.07%

0.04%

-0.03%

2025-12-24

0.03%

0.07%

+0.04%

2025-11-21

—

0.03%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
7.5	3.1	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:N) Service keeps running; no real outage angle.	3.9	3.6	[email protected]
7.5	3.1	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:N) Service keeps running; no real outage angle.	3.9	3.6	134c704f-9b21-4f2e-91b3-4a467353bcc0

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

7.5

3.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:N): Service keeps running; no real outage angle.

3.9

3.6

[email protected]

7.5

3.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:N): Service keeps running; no real outage angle.

3.9

3.6

134c704f-9b21-4f2e-91b3-4a467353bcc0

OS Trackers for CVE-2022-43551

vendor	priority	summary	link
`alpine`	—	CVE-2022-43551: 1 source package rows (curl); 47 state rows across 7 repos (3.17-main, 3.18-main, 3.19-main, 3.20-main, 3.21-main, 3.22-main, edge-main); fixed 7, open 40.	https://security.alpinelinux.org/vuln/CVE-2022-43551
`debian`	not yet assigned	CVE-2022-43551 not yet assigned priority: Debian including 1 source packages (curl), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 4, open 1.	https://security-tracker.debian.org/tracker/CVE-2022-43551
`gentoo`	high	CVE-2022-43551: 1 GLSA(s) (202310-12), 1 atom(s) (net-misc/curl); latest impact high.	https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2022-43551
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2022-43551
`suse`	medium	CVE-2022-43551 severity moderate: SUSE including 358 source package names (0.58.0.1.147:libcurl4-7.79.1-150400.5.12.1, 0.58.0.17.143:curl-7.79.1-150400.5.12.1, …), 851 product×package rows across 270 product lines (Container bci/bci-init, Container bci/dotnet-aspnet, … (270 product lines)): Fixed 589, Known Affected 136, Known Not Affected 126.	https://www.suse.com/security/cve/CVE-2022-43551/
`ubuntu`	medium	CVE-2022-43551 medium priority: Ubuntu including 1 source packages (curl), 8 status rows across 8 suites (bionic, focal, jammy, kinetic, lunar, trusty, upstream, xenial): not-affected 4, released 3, needs-triage 1.	https://ubuntu.com/security/CVE-2022-43551

Affected software / configurations for CVE-2022-43551

Vendor	Product	Version	Raw CPE
haxx	curl	>= 7.77.0, < 7.87.0	cpe:2.3:a:haxx:curl::::::::
fedoraproject	fedora	37	cpe:2.3:o:fedoraproject:fedora:37:::::::*
netapp	active_iq_unified_manager	—	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
netapp	active_iq_unified_manager	—	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::
netapp	oncommand_insight	—	cpe:2.3:a:netapp:oncommand_insight:-:::::::*
netapp	oncommand_workflow_automation	—	cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
netapp	snapcenter	—	cpe:2.3:a:netapp:snapcenter:-:::::::*
splunk	universal_forwarder	>= 8.2.0, < 8.2.12	cpe:2.3:a:splunk:universal_forwarder::::::::
splunk	universal_forwarder	>= 9.0.0, < 9.0.6	cpe:2.3:a:splunk:universal_forwarder::::::::
splunk	universal_forwarder	9.1.0	cpe:2.3:a:splunk:universal_forwarder:9.1.0:::::::*

References for CVE-2022-43551

URL	Tags
https://hackerone.com/reports/1755083	Exploit Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TVWZW5CNSJ7UYAF2BGSYAWAEXDJYUBHA/	Mailing List Third Party Advisory
https://security.gentoo.org/glsa/202310-12	Third Party Advisory
https://security.netapp.com/advisory/ntap-20230427-0007/	Third Party Advisory

URL

CVE-2022-43551

Public exploit references (Exploit-DB) for CVE-2022-43551

Exploit prediction scoring system (EPSS) score for CVE-2022-43551

Common vulnerability scoring system (CVSS) metrics for CVE-2022-43551

Weakness enumeration for CVE-2022-43551

OS Trackers for CVE-2022-43551

Affected software / configurations for CVE-2022-43551

References for CVE-2022-43551