CVE-2023-46218

This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains.

It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with domain=co.UK when the URL used a lower case hostname curl.co.uk, even though co.uk is listed as a PSL domain.

Published: Dec 7, 2023
Updated: May 4, 2025
CVE: CVE-2023-46218
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
haxx / curl	7.46.0	8.4.0.x
fedoraproject / fedora	39	39.x

https://curl.se/docs/CVE-2023-46218.html
https://hackerone.com/reports/2212193
https://lists.debian.org/debian-lts-announce/2023/12/msg00015.html
https://lists.fedoraproject.org/archives/list/[email protected]/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/
https://lists.fedoraproject.org/archives/list/[email protected]/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/
https://security.netapp.com/advisory/ntap-20240125-0007/
https://www.debian.org/security/2023/dsa-5587

Vulnerability Database

289,598

CVE-2023-46218