{"id":"CURL-CVE-2022-27779","summary":"cookie for trailing dot TLD","details":"libcurl wrongly allows HTTP cookies to be set for Top Level Domains (TLDs) if\nthe hostname is provided with a trailing dot.\n\ncurl can be told to receive and send cookies when communicating using\nHTTP(S). curl's \"cookie engine\" can be built with or without [Public Suffix\nList](https://publicsuffix.org/) awareness. If PSL support not provided, a\nmore rudimentary check exists to at least prevent cookies from being set on\nTLDs. This check was broken if the hostname in the URL uses a trailing dot.\n\nThis can allow arbitrary sites to set cookies that then would get sent to a\ndifferent and unrelated site or domain.","aliases":["CVE-2022-27779"],"modified":"2026-04-25T20:30:20.829963Z","published":"2022-05-11T08:00:00Z","database_specific":{"issue":"https://hackerone.com/reports/1553301","www":"https://curl.se/docs/CVE-2022-27779.html","last_affected":"7.83.0","award":{"currency":"USD","amount":"2400"},"package":"curl","affects":"both","severity":"Medium","CWE":{"desc":"Information Exposure Through Sent Data","id":"CWE-201"},"URL":"https://curl.se/docs/CVE-2022-27779.json"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.82.0"},{"fixed":"7.83.1"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"b27ad8e1d3e68eb3214fcbb398ca436873aa7c67"},{"fixed":"7e92d12b4e6911f424678a133b19de670e183a59"}]}],"versions":["7.83.0","7.82.0"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2022-27779.json","vanir_signatures_modified":"2026-04-25T20:30:20Z","vanir_signatures":[{"source":"https://github.com/curl/curl.git/commit/7e92d12b4e6911f424678a133b19de670e183a59","digest":{"length":123,"function_hash":"18841187454024377606824974569439357584"},"target":{"file":"lib/cookie.c","function":"bad_domain"},"signature_version":"v1","id":"CURL-CVE-2022-27779-978a5942","signature_type":"Function","deprecated":false},{"source":"https://github.com/curl/curl.git/commit/7e92d12b4e6911f424678a133b19de670e183a59","digest":{"line_hashes":["191950345194970261446407905643131804443","329173009489481992410983380530134186182","15521993677655441910605679844043442622","28992939665080169230070541457118691157"],"threshold":0.9},"target":{"file":"lib/cookie.c"},"signature_version":"v1","id":"CURL-CVE-2022-27779-eddeb5ea","signature_type":"Line","deprecated":false}]}}],"schema_version":"1.7.5","credits":[{"name":"Axel Chong","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}