Is CVE-2022-32221 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 4%.

What products does CVE-2022-32221 affect?

Tracked products affected include curl. Check the version you run to see whether it is affected.

How do I fix CVE-2022-32221?

Apply the vendor fix promptly. Upgrade affected products to a fixed version.

CVE-2022-32221

Q: What is CVE-2022-32221?

CVE-2022-32221 is a critical-severity software vulnerability (Information disclosure) with a CVSS score of 9.8. When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT`

CRITICAL severity · CVSS 9.8 · Information disclosure

9.8CVSS CRITICAL

Summary

When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactHigh

Exploit probability (EPSS)4%

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products we track (1)

curl

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

CVE-2022-32221

Summary

Impact & exploitability

Affected products we track (1)

Recommendation

Additional information