CVE-2022-43551

Name: CVE-2022-43551
Creator: NVD / NIST
Published: 2022-12-23T15:15:15.777+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 17.01%

Last modified Jun 17, 2026

CVE-2022-43551 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. EPSS estimates a 17.01% chance of exploitation in the next 30 days.

Description

A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

17.01%

96.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Haxx	Curl	>= 7.77.0, < 7.87.0
Fedoraproject	Fedora	37
Netapp	Active Iq Unified Manager	All versions
Netapp	Oncommand Insight	All versions
Netapp	Oncommand Workflow Automation	All versions
Netapp	Snapcenter	All versions
Splunk	Universal Forwarder	>= 8.2.0, < 8.2.12
Splunk	Universal Forwarder	>= 9.0.0, < 9.0.6
Splunk	Universal Forwarder	9.1.0

References

https://hackerone.com/reports/1755083Exploit, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TVWZW5CNSJ7UYAF2BGSYAWAEXDJYUBHA/Mailing List, Third Party Advisory
https://security.gentoo.org/glsa/202310-12Third Party Advisory
https://security.netapp.com/advisory/ntap-20230427-0007/Third Party Advisory
https://hackerone.com/reports/1755083Exploit, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TVWZW5CNSJ7UYAF2BGSYAWAEXDJYUBHA/Mailing List, Third Party Advisory
https://security.gentoo.org/glsa/202310-12Third Party Advisory
https://security.netapp.com/advisory/ntap-20230427-0007/Third Party Advisory

Timeline

Published: Dec 23, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-43551?

How severe is CVE-2022-43551?

CVE-2022-43551 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 17.01% probability of exploitation in the next 30 days.

How do I fix CVE-2022-43551?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-43551?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST