CVE-2023-46218

Name: CVE-2023-46218
Creator: NVD / NIST
Published: 2023-12-07T01:15:07.16+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.5/10EPSS 1.69%

Last modified Jun 17, 2026

CVE-2023-46218 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). EPSS estimates a 1.69% chance of exploitation in the next 30 days.

Description

This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.

Metrics

CVSS 3.1

6.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS Probability

1.69%

74.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-178

Affected Software

Vendor	Product	Versions
Haxx	Curl	>= 7.46.0, <= 8.4.0
Fedoraproject	Fedora	39

References

https://curl.se/docs/CVE-2023-46218.htmlPatch, Vendor Advisory
https://hackerone.com/reports/2212193Exploit, Issue Tracking, Patch, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/12/msg00015.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/
https://security.netapp.com/advisory/ntap-20240125-0007/
https://www.debian.org/security/2023/dsa-5587
https://curl.se/docs/CVE-2023-46218.htmlPatch, Vendor Advisory
https://hackerone.com/reports/2212193Exploit, Issue Tracking, Patch, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/12/msg00015.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/
https://security.netapp.com/advisory/ntap-20240125-0007/
https://www.debian.org/security/2023/dsa-5587
https://cert-portal.siemens.com/productcert/html/ssa-082556.html
https://cert-portal.siemens.com/productcert/html/ssa-093430.html
https://cert-portal.siemens.com/productcert/html/ssa-202008.html
https://cert-portal.siemens.com/productcert/html/ssa-331112.html

Timeline

Published: Dec 7, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-46218?

How severe is CVE-2023-46218?

CVE-2023-46218 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 1.69% probability of exploitation in the next 30 days.

How do I fix CVE-2023-46218?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-46218?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST