QwikSec

Security Database

CVE

CWE

Training

CVE-2022-32206

Published: Jul 7, 2022

Modified: May 5, 2025

PUBLISHED

Description

curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.

Vendor	Product	Versions
n/a	https://github.com/curl/curl	affected `Fixed in 7.84.0`

Weaknesses (CWE)

References

https://hackerone.com/reports/1570651

FEDORA-2022-1b3d7f6973

vendor-advisory

vendor-advisory

[debian-lts-announce] 20220828 [SECURITY] [DLA 3085-1] curl security update

mailing-list

https://security.netapp.com/advisory/ntap-20220915-0003/

https://support.apple.com/kb/HT213488

20221030 APPLE-SA-2022-10-27-5 Additional information for APPLE-SA-2022-10-24-2 macOS Ventura 13

mailing-list

20221030 APPLE-SA-2022-10-24-2 macOS Ventura 13

mailing-list

https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf

vendor-advisory

[oss-security] 20230215 curl: CVE-2023-23916: HTTP multi-header compression denial of service

mailing-list

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.