This flaw allows a malicious HTTP server to set super cookies in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains.
It could do this by exploiting a mixed case flaw in curls function that
verifies a given cookie domain against the Public Suffix List (PSL). For
example a cookie could be set with domain=co.UK
when the URL used a lower
case hostname curl.co.uk
, even though co.uk
is listed as a PSL domain.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Curl | Haxx | 7.46.0 (including) | 8.4.0 (including) |