JLSEC-2026-420 Low 3.4

When asked to use a `.netrc` file for credentials and to follow HTTP redirects, curl could...

JLSEC Published: May 4, 2026
Modified: May 4, 2026
Severity: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
Affected Packages: CURL_jll < 8.13.0+0
LibCURL_jll >= 7.81.0+0, < 8.12.0+0
Aliases / Upstream: CVE-2025-0167 GHSA-c42g-rmxf-64ch EUVD-2025-1518

When asked to use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances.

This flaw only manifests itself if the netrc file has a default entry that omits both login and password. A rare circumstance.

References

https://curl.se/docs/CVE-2025-0167.html
https://curl.se/docs/CVE-2025-0167.json
https://github.com/advisories/GHSA-c42g-rmxf-64ch
https://hackerone.com/reports/2917232
https://nvd.nist.gov/vuln/detail/CVE-2025-0167
https://security.netapp.com/advisory/ntap-20250306-0008
https://security.netapp.com/advisory/ntap-20250306-0008/

When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could...

References

When asked to use a `.netrc` file for credentials and to follow HTTP redirects, curl could...