CVE-2022-32207

CRITICALNVD 9.89.8
EchelonGraph scoreMEDIUM confidence

Score 9.8 from GitHub Security Advisory (severity: CRITICAL) published 2022-07-08. NVD baseline CVSS 9.8; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: epss, ghsa, nvd
Elevated
9.8
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 7%CVSS: 9.8Exploit: NoneExposed: 0

A fix is available — apply it.

When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended.

CVSS v3
9.8
EG Score
9.8(medium)
EPSS
93.3%
KEV
Not listed

Published

July 7, 2022

Last Modified

April 23, 2025

Advisory Details (8)

Auto-updated May 25, 2026
No patch confirmed yet.
generic

Full Disclosure: APPLE-SA-2022-10-27-5 Additional information for APPLE-SA-2022-10-24-2 macOS Ventura 13

http://seclists.org/fulldisclosure/2022/Oct/41
generic

Full Disclosure: APPLE-SA-2022-10-24-2 macOS Ventura 13

http://seclists.org/fulldisclosure/2022/Oct/28
generic

[SECURITY] [DSA 5197-1] curl security update

https://www.debian.org/security/2022/dsa-5197
generic

About the security content of macOS Ventura 13 - Apple Support

https://support.apple.com/kb/HT213488
generic

curl: Multiple Vulnerabilities (GLSA 202212-01) — Gentoo security

https://security.gentoo.org/glsa/202212-01
generic

[SECURITY] Fedora 35 Update: curl-7.79.1-5.fc35 - package-announce - Fedora mailing-lists

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BEV6BR4MTI3CEWK2YU2HQZUW5FAS3FEY/

Patch Availability(4)

Vendor / EcosystemFixed in / PatchReleasedSource
ubuntucurl (7.81.0-1ubuntu1.3) @ jammy2026-05-25ubuntu
redhatjbcs-httpd24-curl-0:7.86.0-2.el7jbcs2022-12-08redhat
redhatjbcs-httpd24-curl2022-12-08redhat
redhatcurl-0:7.76.1-14.el9_0.52022-08-24redhat

Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.

Weakness Classification(2)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

Additional Vendor Advisories

(2)

Frequently asked(5)

What is CVE-2022-32207?
CVE-2022-32207 is a critical vulnerability published on July 7, 2022. When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally widen the permissions for the target file, leaving the…
When was CVE-2022-32207 disclosed?
CVE-2022-32207 was first published in the National Vulnerability Database on July 7, 2022, with the most recent update on April 23, 2025. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2022-32207 actively exploited?
CVE-2022-32207 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 93.3% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2022-32207?
CVE-2022-32207 has a CVSS v3 base score of 9.8 (NVD).
How do I remediate CVE-2022-32207?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2022-32207, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2022-32207

Explore →

Is Your Infrastructure Affected by CVE-2022-32207?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.