CVE-2014-2522 in cURLinfo

Summary

by MITRE

curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 05/11/2026

This vulnerability exists in curl and libcurl versions 7.27.0 through 7.35.0 when operating on Windows systems using the SChannel/Winssl TLS backend. The flaw represents a critical breakdown in the certificate validation process that fundamentally compromises the security of TLS connections. The vulnerability specifically affects scenarios where users access URLs containing numerical IP addresses rather than domain names, creating a dangerous gap in the certificate verification mechanism that attackers can exploit to conduct successful man-in-the-middle attacks.

The technical root cause of this vulnerability lies in the improper implementation of hostname verification within the SChannel backend on Windows systems. According to the Common Weakness Enumeration framework, this maps to CWE-295 which describes improper certificate validation or hostname verification. The flaw occurs because the implementation fails to properly validate that the server certificate's subject matches the target hostname when the URL contains an IP address. This is a deviation from the standard TLS certificate validation procedures that should ensure certificate authenticity through proper hostname matching in either the Common Name field or the subjectAltName extension of the X.509 certificate structure.

The operational impact of this vulnerability is severe and directly enables man-in-the-middle attacks against systems using affected curl versions. Attackers can successfully spoof servers by presenting arbitrary valid certificates that contain matching IP addresses in their certificate fields, while the client software fails to detect this mismatch. This vulnerability specifically affects Windows environments using the SChannel backend and does not impact other operating systems or TLS backends such as OpenSSL. The risk is particularly elevated in environments where users frequently access web services using IP addresses rather than domain names, which is common in internal network scenarios or when accessing load balancers and reverse proxies.

The attack vector for this vulnerability is well-defined and accessible to adversaries with network interception capabilities. An attacker positioned between the client and server can intercept communications and present a valid certificate that matches the IP address in the URL, bypassing the normal certificate validation checks that should prevent such impersonation. This vulnerability aligns with the MITRE ATT&CK framework's technique T1071.004 for application layer protocol: DNS, as it exploits weaknesses in the TLS certificate validation process that should prevent such spoofing attacks. Organizations using affected curl versions in Windows environments are particularly vulnerable, especially in scenarios involving internal network communications, API calls to IP-based services, or when accessing cloud services through IP addresses rather than domain names.

Mitigation strategies for this vulnerability require immediate action including upgrading to curl and libcurl versions 7.35.1 or later where the issue has been resolved. System administrators should also implement additional security controls such as certificate pinning for critical applications, network segmentation to reduce attack surface, and monitoring for unusual certificate validation behavior. Organizations should conduct comprehensive inventory assessments to identify all systems running affected curl versions and implement patch management processes to ensure timely remediation. The fix implemented in newer versions ensures proper hostname verification regardless of whether URLs contain domain names or IP addresses, restoring the expected security properties of TLS certificate validation.

Reservation

03/17/2014

Disclosure

04/18/2014

Moderation

accepted

Entry

VDB-12693

CPE

ready

EPSS

0.02576

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!