CVE-2025-0167

Description

When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance.

Reserved 2024-12-31 | Published 2025-02-05 | Updated 2025-03-07 | Assigner curl

Problem types

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Product status

Default status
unaffected

8.11.1
affected

8.11.0
affected

8.10.1
affected

8.10.0
affected

8.9.1
affected

8.9.0
affected

8.8.0
affected

8.7.1
affected

8.7.0
affected

8.6.0
affected

8.5.0
affected

8.4.0
affected

8.3.0
affected

8.2.1
affected

8.2.0
affected

8.1.2
affected

8.1.1
affected

8.1.0
affected

8.0.1
affected

8.0.0
affected

7.88.1
affected

7.88.0
affected

7.87.0
affected

7.86.0
affected

7.85.0
affected

7.84.0
affected

7.83.1
affected

7.83.0
affected

7.82.0
affected

7.81.0
affected

7.80.0
affected

7.79.1
affected

7.79.0
affected

7.78.0
affected

7.77.0
affected

7.76.1
affected

7.76.0
affected

Credits

Yihang Zhou finder

Daniel Stenberg remediation developer

References

curl.se/docs/CVE-2025-0167.json (json)

curl.se/docs/CVE-2025-0167.html (www)

hackerone.com/reports/2917232 (issue)

cve.org (CVE-2025-0167)

nvd.nist.gov (CVE-2025-0167)

Download JSON