CVE Tools

CVE-2022-43551

Published: Dec 23, 2022Updated: Feb 13, 2026 Sources: CVE List NVD BDU csafCWE-319

No Known Exploits

Patch Available

Description

A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.

CVSS Vector Breakdown

Exploitability

AV:NAttack Vector

Network

AC:LAttack Complexity

Low

PR:NPrivileges Required

None

UI:NUser Interaction

None

Scope

S:UScope

Unchanged

Impact

C:HConfidentiality

High

I:NIntegrity

None

A:NAvailability

None

Open in CVSS calculator →

Weaknesses

Affected Products

JBoss Core Services Red Hat Inc.

On-premDev Tool

DevTools & CI / ide-editor

РЕД ОС ООО «Ред Софт»

On-premOS

Operating Systems / linux-distro

Альт 8 СП АО «ИВК»

On-premOS

Operating Systems / linux-distro

Fedora Fedora Project

On-premOS

Operating Systems / linux-distro

ОСОН ОСнова Оnyx АО «НППКТ»

On-premOS

Operating Systems / linux-distro

red hat inc.commercialUSOperating Systemsaka red hat

ооо «ред софт»commercialRUOperating Systemsaka red soft

ао «ивк»commercialRUOperating Systemsaka ivk

fedora projectoss-projectUSOperating Systemsaka fedora

ао «нппкт»commercialRUOperating Systems

and 11 more affected products View all →

Attack Graph

Products CVE Techniques Tactics

Click technique nodes to view MITRE ATT&CK details. Scroll to zoom, drag to pan.

Exploitability

Official Patch Available

MITRE ATT&CK

2 techniques

Collection

Credential Access

View detailed technique mapping

References

https://redos.red-soft.ru/support/secure/uyazvimosti/uyazvimost-curl-cve-2022-43551/

redos.red-soft.ru

https://access.redhat.com/security/cve/cve-2022-43551

access.redhat.com

https://hackerone.com/reports/1755083

and 18 more references View all →

Timeline

Published

Dec 23, 2022

Last Updated

Feb 13, 2026

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2022-43551 and every CVE in our database. Create a free account — no credit card required.

Create Free Account

Plain-language analysis

Impact assessment and exploitation scenario in plain English

Attack graph visualization

Interactive attack path and kill chain mapping

Exploit details & PoC links

ExploitDB, Metasploit, GitHub PoCs with direct links

Nuclei scanner templates

Ready-to-use vulnerability scanner templates

Full remediation guide

Patch instructions, workarounds, and compliance impact

Interactive AI chat

Ask questions about this vulnerability in natural language

Related vulnerabilities

Semantically similar CVEs and attack patterns

REST API & MCP access

Integrate vulnerability data into your workflows