PatchSiren cyber security CVE debrief

CVE-2023-46218 Fedoraproject CVE debrief

CVE-2023-46218 is a curl cookie-handling flaw that can let a malicious HTTP server set "super cookies" by bypassing Public Suffix List checks when the cookie domain case differs from the host case. That can cause cookies to be returned to unrelated origins and domains, creating unintended cross-site cookie exposure. NVD rates the issue CVSS 3.1 6.5 (MEDIUM).

Vendor: Fedoraproject
Product: CVE-2023-46218
CVSS: MEDIUM 6.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2023-12-07
Original CVE updated: 2026-05-12
Advisory published: 2023-12-07
Advisory updated: 2026-05-12

Who should care

Teams running curl/libcurl in clients, automation, proxies, containers, or embedded software that accepts cookies from untrusted HTTP servers should pay attention. Package maintainers and fleet managers should also track downstream curl updates from distro advisories.

Technical summary

The supplied advisory text and NVD record describe a mixed-case flaw in curl's cookie domain verification against the Public Suffix List (PSL). In the example given, a cookie with domain=co.UK could be accepted when the request host is lowercase curl.co.uk, even though co.uk is a PSL entry. NVD lists affected curl versions from 7.46.0 through 8.4.0 inclusive. The practical effect is weakened origin scoping for cookies, which can lead to cross-origin cookie disclosure or replay to unrelated sites.

Defensive priority

Medium: the issue is network-reachable, requires no authentication, and can affect confidentiality and integrity of cookie isolation, but it does not indicate availability impact in the supplied data.

Recommended defensive actions

Apply the curl or distro package update that contains the vendor fix referenced by the curl advisory.
Inventory systems and applications that use curl/libcurl cookie handling, especially when contacting untrusted HTTP servers.
If patching is delayed, reduce or disable cookie acceptance for untrusted origins and review any assumptions about PSL-based domain scoping.
Check downstream advisories from Debian, Fedora, and other vendors for packaged remediation guidance and update windows.

Evidence notes

This debrief is based on the supplied NVD record and the linked curl vendor advisory. The source description explicitly says the flaw can allow a malicious HTTP server to set cookies that are then passed to more origins than intended. NVD provides the affected version range (7.46.0 through 8.4.0) and CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. The CVE publication date used here is 2023-12-07; the 2026-05-12 modified timestamp is treated only as metadata context.

Official resources

CVE-2023-46218 CVE record
CVE.org
CVE-2023-46218 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Mitigation or vendor reference
[email protected] - Exploit, Issue Tracking, Patch, Third Party Advisory
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]

Publicly disclosed on 2023-12-07 per the supplied CVE publication timestamp. The source record was later modified on 2026-05-12, which is metadata only and not the issue date.