CVE-2021-22890
curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check.
EPSS 0.07% · 21.4th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:20.04:LTS | curl | 0, 7.65.3-1ubuntu4, 7.66.0-1ubuntu1 |
Exploit Intelligence
- https://hackerone.com/reports/1129529 (nist-nvd)
- CVE-2021-22890: TLS 1.3 session ticket proxy host mixup (hackerone)
- CVE-2021-22890: TLS 1.3 session ticket proxy host mixup (hackerone)
- CVE-2021-22890: TLS 1.3 session ticket proxy host mixup (hackerone)
- cve_version_check.go (github-poc)
- cve_version_check.go (github-poc)
- CVE-2025-38062.yara (github-yara)
- CVE-2025-38062.yara (github-yara)
- CVE-2025-38062.yara (github-yara)
- CVE-2025-38062.yara (github-yara)
…and 34 more exploits
Timeline
- CVE Published
- Apr 14, 2021 EPSS Score
- Apr 30, 2021 PoC Published
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Mar 9, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2021-22890 third-party-advisory
- https://curl.se/docs/CVE-2021-22890.html third-party-advisory
- https://ubuntu.com/security/notices/USN-4898-1 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2021-22890 third-party-advisory