JLSEC-2026-413 Low 3.4

When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could...

JLSEC Published: May 4, 2026
Modified: May 4, 2026
Severity: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
Affected Packages: CURL_jll < 8.11.1+0
LibCURL_jll >= 7.81.0+0, < 8.11.1+0
Aliases / Upstream: CVE-2024-11053 GHSA-h288-5fq8-5pfw EUVD-2024-34411

When asked to both use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances.

This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.

References

http://www.openwall.com/lists/oss-security/2024/12/11/1
https://curl.se/docs/CVE-2024-11053.html
https://curl.se/docs/CVE-2024-11053.json
https://github.com/advisories/GHSA-h288-5fq8-5pfw
https://hackerone.com/reports/2829063
https://nvd.nist.gov/vuln/detail/CVE-2024-11053
https://security.netapp.com/advisory/ntap-20250124-0012
https://security.netapp.com/advisory/ntap-20250124-0012/
https://security.netapp.com/advisory/ntap-20250131-0003
https://security.netapp.com/advisory/ntap-20250131-0003/
https://security.netapp.com/advisory/ntap-20250131-0004
https://security.netapp.com/advisory/ntap-20250131-0004/