vulnerability

Arch Linux: Improper Handling of URL Encoding (Hex Encoding) (CVE-2022-27780)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:N/AC:L/Au:N/C:N/I:P/A:N)	Jun 1, 2022	Jul 11, 2025	Nov 27, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:N/I:P/A:N)

Published

Jun 1, 2022

Added

Jul 11, 2025

Modified

Nov 27, 2025

Description

The curl URL parser wrongly accepts percent-encoded URL separators like '/' when decoding the host name part of a URL, making it a *different* URL using the wrong host name when it is later retrieved. For example, a URL like `http://example.com%2F10.0.0.1/`, would be allowed by the parser and get transposed into `http://example.com/10.0.0.1/`. This flaw can be used to circumvent filters, checks and more.

Solution

arch-linux-upgrade-latest

References

CVE-2022-27780
https://attackerkb.com/topics/CVE-2022-27780
URL-https://curl.se/docs/vuln-7.83.0.html
URL-https://hackerone.com/reports/1553841
URL-https://security.gentoo.org/glsa/202212-01
URL-https://security.netapp.com/advisory/ntap-20220609-0009/
CWE-177
CWE-918

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today