CVE-2022-32206

CVE-2022-32206

Vendor N/A
Product https://github.com/curl/curl
Weakness CWE-770 · Uncontrolled resource consumption
Published July 7, 2022
Last update May 5, 2025

CVSS base score

What the vulnerability does

01Description

curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.

Key dates

02Disclosure timeline

July 7, 2022 CVE published
May 5, 2025 Record updated