CVE-2022-27775
📋 TL;DR
This curl vulnerability allows information disclosure when an attacker can force curl to reuse an existing IPv6 connection from the pool with a different zone identifier, potentially exposing sensitive data. It affects applications using curl versions 7.65.0 through 7.82.0 for IPv6 connections. Systems making IPv6 requests through vulnerable curl versions are at risk.
💻 Affected Systems
- curl
- libcurl
- applications using curl/libcurl
📦 What is this software?
Curl by Haxx
curl is a command-line tool and library for transferring data with URLs. It supports numerous protocols including HTTP, HTTPS, FTP, and more, making it essential for API testing, web scraping, and automated data transfers.
Learn more about Curl →Solidfire \& Hci Management Node by Netapp
⚠️ Risk & Real-World Impact
Worst Case
An attacker could intercept or manipulate sensitive data transmitted over IPv6 connections, potentially leading to credential theft, session hijacking, or data leakage.
Likely Case
Information disclosure where an attacker with network access could observe or manipulate data between curl and IPv6 endpoints, particularly in shared hosting or multi-tenant environments.
If Mitigated
Limited impact if proper network segmentation, TLS encryption, and IPv6 security controls are in place.
🎯 Exploit Status
Exploitation requires network access to manipulate IPv6 connections and knowledge of connection pool behavior.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.83.0
Vendor Advisory: https://curl.se/docs/CVE-2022-27775.html
Restart Required: No
Instructions:
1. Update curl to version 7.83.0 or later. 2. For Linux: Use package manager (apt-get update && apt-get upgrade curl, yum update curl, etc.). 3. For Windows: Download latest from curl.se. 4. Recompile applications using libcurl if statically linked.
🔧 Temporary Workarounds
Disable connection reuse
allPrevent curl from reusing connections by setting CURLOPT_FORBID_REUSE option
curl_easy_setopt(curl, CURLOPT_FORBID_REUSE, 1L);
Disable IPv6
allForce curl to use IPv4 only if IPv6 is not required
curl_easy_setopt(curl, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
🧯 If You Can't Patch
- Implement network segmentation to restrict access to curl clients
- Use TLS encryption for all network communications to protect data in transit
🔍 How to Verify
Check if Vulnerable:
Check curl version: curl --version | head -1. If version is between 7.65.0 and 7.82.0 inclusive, system is vulnerable.Check Version:
curl --version | head -1Verify Fix Applied:
Verify curl version is 7.83.0 or later: curl --version | head -1📡 Detection & Monitoring
Log Indicators:
- Unusual IPv6 connection patterns
- Multiple connection attempts with different zone IDs
Network Indicators:
- IPv6 traffic with manipulated zone identifiers
- Unexpected connection reuse patterns
SIEM Query:
source="curl" AND (version="7.65.*" OR version="7.66.*" OR version="7.67.*" OR version="7.68.*" OR version="7.69.*" OR version="7.70.*" OR version="7.71.*" OR version="7.72.*" OR version="7.73.*" OR version="7.74.*" OR version="7.75.*" OR version="7.76.*" OR version="7.77.*" OR version="7.78.*" OR version="7.79.*" OR version="7.80.*" OR version="7.81.*" OR version="7.82.*")🔗 References
- https://hackerone.com/reports/1546268
- https://security.gentoo.org/glsa/202212-01
- https://security.netapp.com/advisory/ntap-20220609-0008/
- https://www.debian.org/security/2022/dsa-5197
- https://hackerone.com/reports/1546268
- https://security.gentoo.org/glsa/202212-01
- https://security.netapp.com/advisory/ntap-20220609-0008/
- https://www.debian.org/security/2022/dsa-5197
