CVE-2022-32205

Name: CVE-2022-32205
Creator: NVD / NIST
Published: 2022-07-07T13:15:08.277+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 4.3/10EPSS 26.91%

Last modified Jun 17, 2026

CVE-2022-32205 is a medium-severity vulnerability rated 4.3/10 on the CVSS scale. A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. EPSS estimates a 26.91% chance of exploitation in the next 30 days.

Description

A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on `foo.example.com` can set cookies that also would match for `bar.example.com`, making it it possible for a "sister server" to effectively cause a denial of service for a sibling site on the same second level domain using this method.

Metrics

CVSS 3.1

4.3/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

EPSS Probability

26.91%

97.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Haxx	Curl	>= 7.71.0, < 7.84.0
Fedoraproject	Fedora	35
Debian	Debian Linux	11.0
Netapp	Clustered Data Ontap	All versions
Netapp	Element Software	All versions
Netapp	Hci Management Node	All versions
Netapp	Solidfire	All versions
Netapp	H300s Firmware	All versions
Netapp	H500s Firmware	All versions
Netapp	H700s Firmware	All versions
Netapp	H410s Firmware	All versions
Apple	Macos	< 13.0
Siemens	Scalance Sc622-2c Firmware	< 3.0
Siemens	Scalance Sc626-2c Firmware	< 3.0
Siemens	Scalance Sc632-2c Firmware	< 3.0
Siemens	Scalance Sc636-2c Firmware	< 3.0
Siemens	Scalance Sc642-2c Firmware	< 3.0
Siemens	Scalance Sc646-2c Firmware	< 3.0
Splunk	Universal Forwarder	>= 8.2.0, < 8.2.12
Splunk	Universal Forwarder	>= 9.0.0, < 9.0.6
Splunk	Universal Forwarder	9.1.0

References

http://seclists.org/fulldisclosure/2022/Oct/28Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2022/Oct/41Mailing List, Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdfPatch, Third Party Advisory
https://hackerone.com/reports/1569946Exploit, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BEV6BR4MTI3CEWK2YU2HQZUW5FAS3FEY/Mailing List, Third Party Advisory
https://security.gentoo.org/glsa/202212-01Third Party Advisory
https://security.netapp.com/advisory/ntap-20220915-0003/Third Party Advisory
https://support.apple.com/kb/HT213488Third Party Advisory
https://www.debian.org/security/2022/dsa-5197Third Party Advisory
http://seclists.org/fulldisclosure/2022/Oct/28Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2022/Oct/41Mailing List, Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdfPatch, Third Party Advisory
https://hackerone.com/reports/1569946Exploit, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BEV6BR4MTI3CEWK2YU2HQZUW5FAS3FEY/Mailing List, Third Party Advisory
https://security.gentoo.org/glsa/202212-01Third Party Advisory
https://security.netapp.com/advisory/ntap-20220915-0003/Third Party Advisory
https://support.apple.com/kb/HT213488Third Party Advisory
https://www.debian.org/security/2022/dsa-5197Third Party Advisory

Timeline

Published: Jul 7, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-32205?

How severe is CVE-2022-32205?

CVE-2022-32205 has a CVSS score of 4.3/10 (MEDIUM severity). The EPSS model estimates a 26.91% probability of exploitation in the next 30 days.

How do I fix CVE-2022-32205?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-32205?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST