CVE-2021-22922 in cURLinfo

Summary

by MITRE • 08/06/2021

When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 05/16/2025

The vulnerability described in CVE-2021-22922 represents a critical security flaw in the curl command-line tool that undermines the integrity verification mechanisms designed to protect users from malicious content delivery. This issue specifically affects the metalink feature implementation within curl, which is intended to provide resilient content distribution by allowing clients to download files from multiple sources simultaneously. The metalink XML format contains hash values that should serve as cryptographic guarantees of file integrity, enabling curl to verify that downloaded content matches the expected cryptographic checksums. When curl processes metalink files, it should validate these hashes against downloaded content and discard any files that fail verification, attempting to retrieve the content from alternative sources instead. However, the vulnerability exists in the error handling logic where curl fails to properly discard files that fail hash verification, instead preserving potentially malicious content on the local filesystem while only reporting the hash mismatch in textual form. This design flaw directly violates the fundamental security principle of fail-safe error handling, where systems should err on the side of caution when integrity checks fail.

The technical implementation of this vulnerability stems from the improper handling of hash verification failures within curl's metalink processing subsystem. When curl downloads content from metalink-specified URLs, it performs hash validation as part of its integrity checking process, but the failure to properly remove or replace files that fail these checks creates a persistent security risk. The system should follow the principle of least privilege and secure by default, where any deviation from expected cryptographic verification results should trigger immediate content rejection and alternative retrieval attempts. This flaw manifests as a failure in the file replacement mechanism, where curl maintains the corrupted file on disk despite the hash mismatch detection. The vulnerability is classified under CWE-284 Access Control Bypass and aligns with ATT&CK technique T1059 Command and Scripting Interpreter, as it enables attackers to potentially deliver malicious payloads through compromised servers that are part of the metalink distribution network. The security implications extend beyond simple integrity checking failures to represent a complete breakdown in the content verification chain that attackers can exploit to deliver malware or poisoned content.

The operational impact of CVE-2021-22922 is significant for organizations and individuals who rely on curl's metalink functionality for secure content distribution and software updates. Attackers can compromise one of the many servers in a metalink distribution network and replace legitimate content with malicious payloads, knowing that curl will not automatically remove the corrupted files from the local system. This creates a persistent threat vector where compromised servers can deliver malicious content without detection, particularly concerning for software distribution channels where metalink is used for critical updates. The vulnerability affects systems running curl versions prior to 7.76.0, making it particularly relevant for enterprise environments that may be running older versions of the tool. Organizations using curl for automated deployment processes, package management, or software update mechanisms are especially vulnerable, as the flaw can lead to the execution of malicious code or the installation of compromised software packages. The impact extends to supply chain security, where the integrity of downloaded content is paramount, and any failure in cryptographic verification can result in widespread compromise across multiple systems.

Mitigation strategies for CVE-2021-22922 require immediate action to update curl to version 7.76.0 or later, which contains the necessary patches to properly handle hash verification failures. System administrators should conduct comprehensive inventory checks to identify all systems running vulnerable versions of curl and implement automated patch management processes to ensure timely updates. Organizations should also consider implementing additional verification layers, such as manual hash validation or using alternative content distribution mechanisms that do not rely on metalink functionality until the vulnerability is fully addressed. Network monitoring should be enhanced to detect unusual patterns in file downloads from metalink sources, particularly when multiple servers are involved in content distribution. Security teams should also review their software update policies and implementation procedures to ensure that vulnerable tools are identified and patched promptly, as this vulnerability demonstrates the critical importance of maintaining up-to-date security tooling. The fix implemented in the patched version addresses the core issue by ensuring that when hash verification fails, curl properly discards the corrupted content and attempts to retrieve the file from alternative sources, thereby restoring the intended security guarantees of the metalink feature.

Reservation

01/06/2021

Disclosure

08/06/2021

Moderation

accepted

CPE

ready

EPSS

0.04313

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!