Docs Overview
Project
Bug Bounty Bug Report Code of conduct Dependencies Donate FAQ Features Governance History Install Known Bugs Logo TODO website Info
Protocols
CA Extract HTTP cookies HTTP/3 MQTT SSL certs SSL libs compared URL syntax WebSocket
Releases
Changelog curl CVEs Release Table Version Numbering Vulnerabilities
Tool
Comparison Table curl man page HTTP Scripting mk-ca-bundle Tutorial When options were added
Who and Why
Companies Copyright Sponsors Thanks The name
curl / Docs / curl CVEs / netrc and default credential leak
Related:
Audits
Bug Bounty
Changelog
curl CVEs
JSON metadata
Original report
Vulnerability Disclosure
Vulnerabilities Table
Awarded 505 USD

CVE-2025-0167

netrc and default credential leak

Project curl Security Advisory, February 5th 2025 - Permalink

VULNERABILITY

When asked to use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances.

This flaw only manifests itself if the netrc file has a default entry that omits both login and password. A rare circumstance.

INFO

A curl transfer with nn.tld that redirects to zz.tld, using a .netrc file with an empty default entry like below, would make curl pass on maryspassword as password even in the transfer to the second and separate host zz.tld.

machine nn.tld
  login mary
  password maryspassword
default

This bug is not considered a C mistake. It is not likely to have been avoided had we not been using C.

This flaw also affects the curl command line tool.

This flaw is similar, but not identical, to CVE-2024-11053.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2025-0167 to this issue.

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Severity: Low

AFFECTED VERSIONS

libcurl is used by many applications, but not always advertised as such!

SOLUTION

For curl versions before 8.11.0

Proper functionality of the fixes also requires the 9bee39b commit, available since version 8.11.0. Without it, the newly added test486 fails, leaking the original password (only) on redirect.

RECOMMENDATIONS

We suggest you take one of the following actions immediately, in order of preference:

A - Upgrade curl and libcurl to version 8.12.0

B - Apply the patches to your version and rebuild

C - Avoid using netrc together with redirects

TIMELINE

This issue was reported to the curl project on December 30, 2024. We contacted distros@openwall on January 28, 2025.

curl 8.12.0 was released on February 5 2025 around 08:00 UTC, coordinated with the publication of this advisory.

CREDITS

Thanks a lot!