CVE-2025-14524
BaseFortify
Publication date: 2026-01-08
Last updated on: 2026-01-20
Assigner: curl
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| haxx | curl | From 7.33.0 (inc) to 8.18.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in curl versions 7.33.0 through 8.17.0 when an OAuth2 bearer token is used during an HTTP(S) transfer that performs a cross-protocol redirect to a URL with a different protocol such as IMAP, LDAP, POP3, or SMTP. In such cases, curl may mistakenly forward the bearer token to the new target host, potentially exposing sensitive credentials. This happens if the redirect URL includes a username component without a password and can occur even if the redirect is to the same hostname but with a different protocol or port. The issue is classified as CWE-522 (Insufficiently Protected Credentials) with a low severity rating. It was fixed in curl version 8.18.0. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to the unintended leakage of OAuth2 bearer tokens to unintended hosts during cross-protocol redirects. Such leakage could allow attackers or unauthorized parties to gain access to sensitive credentials, potentially compromising authentication and access to protected resources. The impact depends on whether the vulnerable curl version is used and if cross-protocol redirects with bearer tokens occur in your environment. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves monitoring for curl usage that performs cross-protocol redirects involving OAuth2 bearer tokens, especially redirects from HTTP(S) to IMAP, LDAP, POP3, or SMTP schemes. Since the vulnerability requires curl to be configured to allow redirects to all supported protocols, checking curl command invocations or scripts for such configurations is key. Specific commands to detect this might include searching for curl commands with options like '--location' or '--proto' that enable cross-protocol redirects, and inspecting network traffic for OAuth2 bearer tokens being sent to unexpected protocols. For example, using network capture tools (e.g., tcpdump or Wireshark) to filter for OAuth2 bearer tokens in protocols other than HTTP(S) could help identify leaks. However, no explicit detection commands are provided in the resources. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading curl to version 8.18.0 or later, where the vulnerability is fixed. Additionally, avoid configuring curl to allow cross-protocol redirects, especially redirects from HTTP(S) to IMAP, LDAP, POP3, or SMTP schemes. Refrain from using OAuth2 bearer tokens in scenarios where cross-protocol redirects might occur. These steps will prevent the bearer token from being leaked to unintended hosts. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability involves leakage of OAuth2 bearer tokens to unintended hosts during cross-protocol redirects, which can lead to exposure of sensitive credentials. Such exposure could potentially violate data protection requirements under standards like GDPR and HIPAA that mandate safeguarding of authentication credentials and personal data. However, the provided resources do not explicitly discuss compliance impacts or regulatory considerations. [1, 2]