curl / Docs / curl CVEs / Automatic referer leaks credentials
Awarded 800 USD


Automatic referer leaks credentials

Project curl Security Advisory, March 31st 2021 - Permalink


libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

libcurl automatically sets the Referer: HTTP request header field in outgoing HTTP requests if the CURLOPT_AUTOREFERER option is set. With the curl tool, it is enabled with --referer ";auto".


The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2021-22876 to this issue.

CWE-359: Exposure of Private Personal Information to an Unauthorized Actor

Severity: Low


Also note that libcurl is used by many applications, and not always advertised as such.


If a provided URL contains credentials, they will be blanked out before the URL is used to populate the header field.


We suggest you take one of the following actions immediately, in order of preference:

A - Upgrade libcurl to version 7.76.0

B - Apply the patch to your local version

C - Provide the credentials with -u or CURLOPT_USERPWD

D - Avoid CURLOPT_AUTOREFERER and --referer ";auto",


This issue was reported to the curl project on February 12, 2021.

This advisory was posted on March 31st 2021.


Thanks a lot!