libcurl Cookie Leakage Vulnerability Due to Stale Host Header Management

A vulnerability in libcurl versions 7.71.0 prior to 8.20.0 has been identified, where cookies can be leaked between different HTTP hosts when using the same easy handle. This occurs when a custom 'Host' header is set for one request, and a subsequent request is made without that header, causing libcurl to reuse stale cookie information intended for the first host. The issue does not affect the curl command line tool.

Impact

Exploitation of this vulnerability allows for cross-origin cookie leakage, where an attacker can access cookies from a different origin, and cookie jar poisoning, where malicious cookies can be injected and later replayed to the victim origin.

Reproduction

The vulnerability can be reproduced by sending an HTTP request with a custom 'Host' header using a libcurl easy handle. Then, send a second request with the same easy handle but without the custom 'Host' header. The second request will inadvertently include cookies meant for the first host, leaking them to the current request.

Remediation

Users are advised to upgrade to libcurl version 8.20.0 or apply the patch available in the curl GitHub repository.