CVE-2025-0167
netrc and default credential leak
Project curl Security Advisory, February 5th 2025 - Permalink
VULNERABILITY
When asked to use a .netrc file for credentials
and to follow HTTP redirects, curl could leak the
password used for the first host to the followed-to host under certain
circumstances.
This flaw only manifests itself if the netrc file has a
default entry that omits both login and password. A rare
circumstance.
INFO
A curl transfer with nn.tld that redirects to
zz.tld, using a .netrc file with an
empty default entry like below, would make curl
pass on maryspassword as password even in the transfer to
the second and separate host zz.tld.
machine nn.tld
login mary
password maryspassword
defaultThis bug is not considered a C mistake. It is not likely to have been avoided had we not been using C.
This flaw also affects the curl command line tool.
This flaw is similar, but not identical, to CVE-2024-11053.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2025-0167 to this issue.
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Severity: Low
AFFECTED VERSIONS
- Affected versions: curl 7.76.0 to and including 8.11.1
- Not affected versions: curl < 7.76.0 and >= 8.12.0
- Introduced-in: https://github.com/curl/curl/commit/46620b97431e19c53ce82e5
libcurl is used by many applications, but not always advertised as such!
SOLUTION
RECOMMENDATIONS
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade curl and libcurl to version 8.12.0
B - Apply the patch to your version and rebuild
C - Avoid using netrc together with redirects
TIMELINE
This issue was reported to the curl project on December 30, 2024. We contacted distros@openwall on January 28, 2025.
curl 8.12.0 was released on February 5 2025 around 08:00 UTC, coordinated with the publication of this advisory.
CREDITS
- Reported-by: Yihang Zhou
- Patched-by: Daniel Stenberg
Thanks a lot!