CVE-2025-0167
CVE-2025-0167
3.4
LowPublished:
Last updated:
Source:2499f714-1537-4658-8207-48ae4bb9eae9
Analyzed
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- High
- Privileges Required
- None
- User Interaction
- Required
- Scope
- Changed
- Confidentiality
- Low
- Integrity
- None
- Availability
- None
Description
When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance.
References
2499f714-1537-4658-8207-48ae4bb9eae9
https://curl.se/docs/CVE-2025-0167.html2499f714-1537-4658-8207-48ae4bb9eae9
https://curl.se/docs/CVE-2025-0167.json2499f714-1537-4658-8207-48ae4bb9eae9
https://hackerone.com/reports/2917232af854a3a-2127-422b-91ae-364da2661108
https://security.netapp.com/advisory/ntap-20250306-0008/134c704f-9b21-4f2e-91b3-4a467353bcc0
https://curl.se/docs/CVE-2025-0167.html