trailing dot domain super cookie ================================ Project curl Security Advisory, June 24 2026 [Permalink](https://curl.se/docs/CVE-2026-8924.html) VULNERABILITY ------------- A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set "super cookies" that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl will subsequently scope and transmit to unrelated third-party domains. INFO ---- The attacker would do this by setting the cookie for a *domain* using a trailing dot (for example like `domain=co.uk.`) when a trailing dot hostname is used in the URL curl works with (for example `https://example.co.uk.`. When curl is built without PSL support, it cannot protect against this problem but it is expected to not allow "too wide" cookies when PSL support is enabled. Trailing dots in hostnames is a menace and a plague that keeps haunting us and the world at large. It is not commonly used and the trailing dot cannot be passed in the TLS SNI fields, which makes them hard to inter-operate with. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-8924 to this issue. CWE-201: Information Exposure Through Sent Data Severity: Low AFFECTED VERSIONS ----------------- - Affected versions: curl 7.46.0 to and including 8.20.0 - Not affected versions: curl < 7.46.0 and >= 8.20.0 - Introduced-in: https://github.com/curl/curl/commit/e77b5b7453c1e8c libcurl is used by many applications, but not always advertised as such! This flaw is also accessible using the curl command line tool. SOLUTION ------------ - Fixed-in: https://github.com/curl/curl/commit/51beed175dbfc37da3113f6acc RECOMMENDATIONS -------------- A - Upgrade curl to version 8.20.0 B - Apply the patch to your local version C - Do not use trailing dots on hostnames TIMELINE -------- This issue was reported to the curl project on May 13, 2026. We contacted distros@openwall on June XX, 2026. curl 8.21.0 was released on June 24 2026, coordinated with the publication of this advisory. CREDITS ------- - Reported-by: vegagent on hackerone - Patched-by: Daniel Stenberg Thanks a lot!