{"id":"CVE-2022-27780","details":"The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a *different* URL usingthe wrong host name when it is later retrieved.For example, a URL like `http://example.com%2F127.0.0.1/`, would be allowed bythe parser and get transposed into `http://example.com/127.0.0.1/`. This flawcan be used to circumvent filters, checks and more.","aliases":["CURL-CVE-2022-27780"],"modified":"2026-03-14T11:39:36.358915Z","published":"2022-06-02T14:15:44.267Z","related":["openSUSE-SU-2024:12062-1"],"references":[{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202212-01"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20220609-0009/"},{"type":"EVIDENCE","url":"https://hackerone.com/reports/1553841"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/curl/curl","events":[{"introduced":"9e560d11aad028de74addc0d1edfefa5667884f4"},{"fixed":"462196e6b4a47f924293a0e26b8e9c23d37ac26f"}],"database_specific":{"versions":[{"introduced":"7.80.0"},{"fixed":"7.83.1"}]}}],"versions":["curl-7_80_0","curl-7_81_0","curl-7_82_0","curl-7_83_0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"8.2.0"},{"fixed":"8.2.12"}]},{"events":[{"introduced":"9.0.0"},{"fixed":"9.0.6"}]},{"events":[{"introduced":"0"},{"last_affected":"9.1.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-27780.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}