CVE-2025-0167 Information
Feb 06, 2025
cve
Description
When asked to use a .netrc file for credentials and to follow HTTP
redirects curl could leak the password used for the first host to the
followed-to host under certain circumstances.
This flaw only manifests itself if the netrc file has a default entry that
omits both login and password. A rare circumstance.
Reference
cve@curl.se
https://curl.se/docs/CVE-2025-0167.html
https://curl.se/docs/CVE-2025-0167.json
https://hackerone.com/reports/2917232
When
asked
to
use
a
.netrc
file
for
credentials
and
to
follow
HTTP
redirects
curl
could
leak
the
password
used
for
the
first
host
to
the
followed-to
host
under
certain
circumstances.
This
flaw
only
manifests
itself
if
the
netrc
file
has
a
default
entry
that
omits
both
login
and
password.
A
rare
circumstance.