How a 23.9‑Year‑Old Curl Bug Exposed Critical Cookie Security Flaws

An in‑depth look at the decades‑long curl vulnerability discovered by Daniel Stenberg, tracing its origins in early cookie handling, the dual‑syntax challenges of RFC 6265, the 2022 security report, and the eventual fix that finally closed a 23.9‑year‑old bug.

CVE-2022-35252CookieHTTP

0 likes · 10 min read

How a 23.9‑Year‑Old Curl Bug Exposed Critical Cookie Security Flaws

Liangxu Linux

Oct 20, 2022 · Information Security

Why a 23‑Year‑Old curl Cookie Bug Went Unnoticed Until 2022

The article recounts how a flaw introduced in curl 4.9's cookie engine in 1998 persisted for 23.9 years, why the dual‑syntax cookie RFC caused confusion, how the bug allowed control‑character cookies to be sent, and how a simple reject‑bytes patch finally fixed CVE‑2022‑35252.

CVE-2022-35252CookieHTTP

0 likes · 10 min read

Why a 23‑Year‑Old curl Cookie Bug Went Unnoticed Until 2022