{"id":"CURL-CVE-2022-32205","summary":"Set-Cookie denial of service","details":"A malicious server can serve excessive amounts of `Set-Cookie:` headers in a\nHTTP response to curl and curl stores all of them. A sufficiently large amount\nof (big) cookies make subsequent HTTP requests to this, or other servers to\nwhich the cookies match, create requests that become larger than the threshold\nthat curl uses internally to avoid sending crazy large requests (1048576\nbytes) and instead returns an error.\n\nThis denial state might remain for as long as the same cookies are kept, match\nand have not expired. Due to cookie matching rules, a server on\n`foo.example.com` can set cookies that also would match for `bar.example.com`,\nmaking it it possible for a \"sister server\" to effectively cause a denial of\nservice for a sibling site on the same second level domain using this method.","aliases":["CVE-2022-32205"],"modified":"2026-04-25T20:30:21.779253Z","published":"2022-06-27T08:00:00Z","database_specific":{"www":"https://curl.se/docs/CVE-2022-32205.html","last_affected":"7.83.1","severity":"Low","CWE":{"id":"CWE-770","desc":"Allocation of Resources Without Limits or Throttling"},"package":"curl","URL":"https://curl.se/docs/CVE-2022-32205.json","affects":"both","issue":"https://hackerone.com/reports/1569946","award":{"amount":"480","currency":"USD"}},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.71.0"},{"fixed":"7.84.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"ed35d6590e72c23c568af1e3b8ac6e4e2d883888"},{"fixed":"48d7064a49148f03942380967da739dcde1cdc24"}]}],"versions":["7.83.1","7.83.0","7.82.0","7.81.0","7.80.0","7.79.1","7.79.0","7.78.0","7.77.0","7.76.1","7.76.0","7.75.0","7.74.0","7.73.0","7.72.0","7.71.1","7.71.0"],"database_specific":{"vanir_signatures":[{"id":"CURL-CVE-2022-32205-16284ad6","digest":{"length":1482,"function_hash":"44856816709060387698857799086001880414"},"deprecated":false,"target":{"function":"Curl_http_cookies","file":"lib/http.c"},"signature_type":"Function","signature_version":"v1","source":"https://github.com/curl/curl.git/commit/48d7064a49148f03942380967da739dcde1cdc24"},{"id":"CURL-CVE-2022-32205-3498864a","digest":{"line_hashes":["285788908128754277806203243725509779188","215223981281964683699010843566616901130","337918680823130709335075237609958509333","31091562957172181788836708827238943007"],"threshold":0.9},"deprecated":false,"target":{"file":"lib/urldata.h"},"signature_type":"Line","signature_version":"v1","source":"https://github.com/curl/curl.git/commit/48d7064a49148f03942380967da739dcde1cdc24"},{"id":"CURL-CVE-2022-32205-4b2f770c","digest":{"line_hashes":["42401565821253743533698856110427635553","289573902139677390556467337569149814996","108766067958629853036051977100944312584","72930070722242242716134039460370112838","115172872356202962755951875388100295409","90128714653745737404734994216528154255","194812740377909909145009966131849467170","27712211292545613830103936157074513221","94908941393509708542915434406659782964","290833222361279288344615079258303183804","163309842069244067829690908496458101330","267195336736504242283452321987766676054","243500615670928317332646905766134524314","67029305311913950002922531596468130157","169999781548479622370195385069732350200","81970080671058689511032354689698511816","44838991163309211340580440824580546770","53774490026418924724469109431687253514","143303264542862435961945377226955029891","98204869489589396828928259163789724049","166657373838101050687841496411781250413","260743206760803509016288653921765511264"],"threshold":0.9},"deprecated":false,"target":{"file":"lib/http.c"},"signature_type":"Line","signature_version":"v1","source":"https://github.com/curl/curl.git/commit/48d7064a49148f03942380967da739dcde1cdc24"},{"id":"CURL-CVE-2022-32205-654a4dd6","digest":{"length":1216,"function_hash":"30254430020239649490734704415517798863"},"deprecated":false,"target":{"function":"Curl_cookie_getlist","file":"lib/cookie.c"},"signature_type":"Function","signature_version":"v1","source":"https://github.com/curl/curl.git/commit/48d7064a49148f03942380967da739dcde1cdc24"},{"id":"CURL-CVE-2022-32205-a2655a17","digest":{"length":10110,"function_hash":"200387196456884772628138535212581116433"},"deprecated":false,"target":{"function":"Curl_cookie_add","file":"lib/cookie.c"},"signature_type":"Function","signature_version":"v1","source":"https://github.com/curl/curl.git/commit/48d7064a49148f03942380967da739dcde1cdc24"},{"id":"CURL-CVE-2022-32205-beb8d5fa","digest":{"line_hashes":["319990965525942506699335375935194533643","257040997033756347215855998668153623646","230817991934740565297086025360547704749","123491371807463895598372670483942760335","226381500543036867719128539403591970796","144459013500567600845170546078205781995","148479872776947907128144642510397511669"],"threshold":0.9},"deprecated":false,"target":{"file":"lib/cookie.h"},"signature_type":"Line","signature_version":"v1","source":"https://github.com/curl/curl.git/commit/48d7064a49148f03942380967da739dcde1cdc24"},{"id":"CURL-CVE-2022-32205-e386b3ad","digest":{"line_hashes":["292154197139258896099492185113494553520","186888826304681870800909907759855374156","37317142846800747730249524252618689897","207363572555643828734100126338124281102","190156279237247962380515597391486567792","82839648143238759749415144811059651342","235346230204437528239191034237756965334","260046648995034047250893719646870128124","184049739219249913186505779661534077664","43207676442614300691537532583089665768","313424783264293840592141801889023429248","68282861202683080037429111660685913740","8977130176485821300641133672000777941","78996891550401605421963815190133678464"],"threshold":0.9},"deprecated":false,"target":{"file":"lib/cookie.c"},"signature_type":"Line","signature_version":"v1","source":"https://github.com/curl/curl.git/commit/48d7064a49148f03942380967da739dcde1cdc24"}],"vanir_signatures_modified":"2026-04-25T20:30:21Z","source":"https://curl.se/docs/CURL-CVE-2022-32205.json"}}],"schema_version":"1.7.5","credits":[{"name":"Harry Sintonen","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}