CVE-2021-22897 in cURLinfo

Summary

by MITRE • 06/11/2021

curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 05/29/2026

The vulnerability identified as CVE-2021-22897 represents a critical security flaw in the curl library version 7.61.0 through 7.76.1 when configured to utilize the Schannel TLS library on Windows systems. This issue manifests as a session data exposure problem that fundamentally undermines the security assurances of secure communications. The flaw stems from improper handling of the CURLOPT_SSL_CIPHER_LIST option within the library's implementation, creating a scenario where cryptographic configuration parameters become shared across multiple concurrent operations rather than being properly isolated to individual sessions.

The technical root cause of this vulnerability lies in the implementation of the Schannel TLS backend within libcurl, where the selected cipher suite configuration is stored in a static variable rather than being properly scoped to individual transfer operations. This design decision creates a race condition and configuration contamination scenario where multiple concurrent transfers can inadvertently interfere with each other's security parameters. When an application initiates several simultaneous transfers using curl, each operation sets its own cipher preferences through CURLOPT_SSL_CIPHER_LIST, but due to the static variable storage mechanism, only the last configured cipher set persists and becomes active for all transfers. This behavior violates fundamental security principles of isolation and proper resource management in multi-threaded or concurrent environments.

The operational impact of this vulnerability extends beyond simple configuration conflicts to represent a significant weakening of transport security across all affected curl implementations. In scenarios where applications perform multiple concurrent secure transfers, the security posture of all operations becomes compromised by the last cipher configuration set, potentially allowing attackers to downgrade encryption strength or select weaker cipher suites that are more susceptible to cryptographic attacks. This vulnerability particularly affects environments where curl is used for automated processes, web scraping, or any application that relies on multiple simultaneous secure connections. The risk is amplified in cases where different transfers require different security levels or when applications attempt to enforce specific cipher policies for compliance or regulatory reasons.

This vulnerability maps directly to CWE-691, which addresses Insufficient Control Flow Management, and aligns with ATT&CK technique T1071.004 for Application Layer Protocol: DNS, as it affects the underlying transport security mechanisms that applications depend upon. The improper handling of static variables in concurrent contexts represents a classic software engineering flaw that has been exploited in various security contexts where resource sharing leads to unexpected behavior. Organizations using affected curl versions should immediately implement mitigations including upgrading to patched versions, implementing application-level controls to prevent concurrent cipher configuration, or disabling the affected Schannel backend until proper patches are applied. The vulnerability demonstrates the critical importance of proper resource isolation in security-sensitive libraries and highlights the need for comprehensive testing of concurrent operations in cryptographic implementations.

Reservation

01/06/2021

Disclosure

06/11/2021

Moderation

accepted

CPE

ready

EPSS

0.02979

KEV

no

Activities

low

Sources

Do you need the next level of professionalism?

Upgrade your account now!