How a 23‑Year‑Old Curl Cookie Bug Evaded Detection Until 2022

Background

Daniel Stenberg, the author of curl, recently shared a vulnerability that had existed for 23.9 years. curl, first released in 1997, introduced a cookie engine in version 4.9 (October 1998), allowing it to receive, parse, and return HTTP cookies.

Early Cookie Specification

At that time, cookie specifications were informal and based on a Netscape‑maintained document called cookie_spec. The implementation in curl was largely based on that document and the behavior of contemporary browsers.

Dual Syntax Challenge

The later cookie RFC introduced two different syntaxes—one for how servers send cookies and another for how clients receive them—making the specification hard to read and leading to confusion.

Evolution of the Specification

After years of failed attempts, the official cookie RFC was finally published in 2011 (RFC 6265). Stenberg participated in its development, though he did not fully agree with all its provisions.

Impact on curl

The original cookie code accepted control‑character bytes in cookie names or values. When such a cookie was sent back to a server, many HTTP servers (e.g., Apache httpd since version 2.4.25 and recent Nginx releases) reject the request with a 400 response.

Set-cookie: name^a=content^b; domain=.example.com

Here ^a and ^b represent control characters. The corresponding request header would be: cookie: name^a=content^b Both Apache and Nginx treat such cookies as malformed and refuse the request.

Discovery and Fix

In June 2022, Stenberg received a report that led to CVE‑2022‑35252. The fix simply rejects any cookie containing prohibited byte values, aligning curl’s behavior with major browsers, which already ignore cookies containing bytes %01‑%08, %0b‑%0c, %0e‑%1f, and %7f (excluding TAB and line‑break characters).

Conclusion

The vulnerable code existed from curl 4.9 until it was finally patched in curl 7.85.0, a span of 8,729 days (23.9 years). The bug illustrates how legacy code can become a denial‑of‑service vector when server implementations start enforcing stricter request validation.