Vulnerability
curl/libcurl: STARTTLS protocol injection via MITM
When curl connects to an IMAP, POP3, SMTP or FTP server to exchange data securely using STARTTLS to upgrade the connection to TLS level, the server can still respond and send back multiple responses before the TLS upgrade. Such multiple *pipelined* responses are cached by curl. curl would then upgrade to TLS but not flush the in-queue of cached responses and instead use and trust the responses it got *before* the TLS handshake as if they were authenticated. Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server. Over POP3 and IMAP an attacker can inject fake response data.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
Low exploitation likelihood — defer if no other signals fire.
No VEX statements published for CVE-2021-22947. Vendors publish VEX (Vulnerability Exploitability eXchange) to assert per-product whether a CVE is actually exploitable in their distribution.
No exploitation, limited impact or prevalence