Updated: 2024-01-25 19:56:30.125113


This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with `domain=co.UK` when the URL used a lower case hostname ``, even though `` is listed as a PSL domain.



Severity Score
CVSS Version 2.x 0
CVSS Version 3.x MEDIUM 6.5


OS name Project name Version Score Severity Status Errata Last updated
AlmaLinux 9.2 ESU curl 7.76.1 6.5 MEDIUM Released CLSA-2024:1712672068 2024-04-09 11:15:15
CentOS 8.4 ELS curl 7.61.1 6.5 MEDIUM Ignored 2023-12-13 10:08:57
CentOS 8.5 ELS curl 7.61.1 6.5 MEDIUM Ignored 2023-12-13 08:37:39
Ubuntu 16.04 ELS curl 7.47.0 6.5 MEDIUM Released CLSA-2024:1710786562 2024-03-18 17:11:32
Ubuntu 18.04 ELS curl 7.58.0-2 6.5 MEDIUM Released CLSA-2024:1710436611 2024-03-14 14:10:41