{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2022-27780",
  "aliases": [
    "CVE-2022-27780"
  ],
  "summary": "percent-encoded path separator in URL host",
  "modified": "2026-04-25T17:48:46.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "both",
    "URL": "https://curl.se/docs/CVE-2022-27780.json",
    "www": "https://curl.se/docs/CVE-2022-27780.html",
    "issue": "https://hackerone.com/reports/1553841",
    "CWE": {
      "id": "CWE-177",
      "desc": "Improper Handling of URL Encoding"
    },
    "award": {
      "amount": "2400",
      "currency": "USD"
    },
    "last_affected": "7.83.0",
    "severity": "Medium"
  },
  "published": "2022-05-11T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "7.80.0"},
             {"fixed": "7.83.1"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "9a8564a920188e49d5bd8c1c8573ddef97f6e03a"},
             {"fixed": "914aaab9153764ef8fa4178215b8ad89d3ac263a"}
           ]
        }
      ],
      "versions": [
        "7.83.0", "7.82.0", "7.81.0", "7.80.0"
      ]
    }
  ],
  "credits": [
    {
      "name": "Axel Chong",
      "type": "FINDER"
    },
    {
      "name": "Daniel Stenberg",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "The curl URL parser wrongly accepts percent-encoded URL separators like '/'\nwhen decoding the hostname part of a URL, making it a *different* URL using\nthe wrong hostname when it is later retrieved.\n\nFor example, a URL like `http://example.com%2F10.0.0.1/`, would be allowed by\nthe parser and get transposed into `http://example.com/10.0.0.1/`. This flaw\ncan be used to circumvent filters, checks and more."
}