CVE-2022-27780
📋 TL;DR
The curl URL parser incorrectly accepts percent-encoded URL separators like '/' in hostnames, allowing attackers to bypass filters and checks by making malicious URLs appear legitimate. This affects any application using curl for URL parsing, potentially enabling SSRF attacks and security control bypass.
💻 Affected Systems
- curl
- libcurl
- applications using curl/libcurl
📦 What is this software?
Curl by Haxx
curl is a command-line tool and library for transferring data with URLs. It supports numerous protocols including HTTP, HTTPS, FTP, and more, making it essential for API testing, web scraping, and automated data transfers.
Learn more about Curl →Solidfire \& Hci Management Node by Netapp
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass security filters to perform SSRF attacks against internal systems, access restricted resources, or circumvent authentication mechanisms.
Likely Case
Bypass of URL filtering systems, SSRF attacks against internal services, and circumvention of security controls that rely on URL parsing.
If Mitigated
Limited impact with proper network segmentation, egress filtering, and input validation in place.
🎯 Exploit Status
Exploitation requires the attacker to control URL input that gets parsed by curl. Public proof-of-concept examples demonstrate the bypass technique.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: curl 7.83.1
Vendor Advisory: https://curl.se/docs/CVE-2022-27780.html
Restart Required: No
Instructions:
1. Update curl to version 7.83.1 or later. 2. For Linux distributions: Use package manager (apt/yum/dnf) to update curl. 3. For applications using libcurl: Recompile with updated library. 4. Verify the fix with curl --version.
🔧 Temporary Workarounds
Input validation workaround
allImplement strict input validation to reject URLs with percent-encoded separators in hostnames before passing to curl.
Network filtering
allImplement egress filtering to block outbound connections to internal IP addresses from internet-facing systems.
🧯 If You Can't Patch
- Implement strict URL validation in application code to reject percent-encoded separators
- Deploy network segmentation and egress filtering to limit SSRF impact
🔍 How to Verify
Check if Vulnerable:
Check curl version with 'curl --version'. If version is between 7.82.0 and 7.83.0 inclusive, system is vulnerable.Check Version:
curl --version | head -1Verify Fix Applied:
After update, verify curl version is 7.83.1 or later with 'curl --version'.📡 Detection & Monitoring
Log Indicators:
- Unusual URL patterns with percent-encoded characters in logs
- Requests to internal IP addresses from external sources
Network Indicators:
- Outbound connections to internal IP ranges from internet-facing systems
- URLs with %2F (encoded slash) in hostname portion
SIEM Query:
source="web_logs" AND (url CONTAINS "%2F" OR url CONTAINS "%5C") AND NOT url CONTAINS "?"