{"id":"CURL-CVE-2022-27774","summary":"Credential leak on redirect","details":"curl follows HTTP(S) redirects when asked to. curl also supports\nauthentication. When a user and password are provided for a URL with a given\nhostname, curl makes an effort to not pass on those credentials to other hosts\nin redirects unless given permission with a special option.\n\nThis \"same host check\" has been flawed all since it was introduced. It does\nnot work on cross protocol redirects and it does not consider different port\nnumbers to be separate hosts. This leads to curl leaking credentials to other\nservers when it follows redirects from auth protected HTTP(S) URLs to other\nprotocols and port numbers. It could also leak the TLS SRP credentials this\nway.\n\nBy default, curl only allows redirects to HTTP(S) and FTP(S), but can be asked\nto allow redirects to all protocols curl supports.","aliases":["CVE-2022-27774"],"modified":"2026-04-25T20:38:40.240980Z","published":"2022-04-27T08:00:00Z","database_specific":{"last_affected":"7.82.0","award":{"currency":"USD","amount":"2400"},"package":"curl","severity":"Medium","CWE":{"id":"CWE-522","desc":"Insufficiently Protected Credentials"},"URL":"https://curl.se/docs/CVE-2022-27774.json","issue":"https://hackerone.com/reports/1543773","affects":"both","www":"https://curl.se/docs/CVE-2022-27774.html"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"4.9"},{"fixed":"7.83.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"ae1912cb0d494b48d514d937826c9fe83ec96c4d"},{"fixed":"139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08"}]}],"versions":["7.82.0","7.81.0","7.80.0","7.79.1","7.79.0","7.78.0","7.77.0","7.76.1","7.76.0","7.75.0","7.74.0","7.73.0","7.72.0","7.71.1","7.71.0","7.70.0","7.69.1","7.69.0","7.68.0","7.67.0","7.66.0","7.65.3","7.65.2","7.65.1","7.65.0","7.64.1","7.64.0","7.63.0","7.62.0","7.61.1","7.61.0","7.60.0","7.59.0","7.58.0","7.57.0","7.56.1","7.56.0","7.55.1","7.55.0","7.54.1","7.54.0","7.53.1","7.53.0","7.52.1","7.52.0","7.51.0","7.50.3","7.50.2","7.50.1","7.50.0","7.49.1","7.49.0","7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0","7.40.0","7.39.0","7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0","7.33.0","7.32.0","7.31.0","7.30.0","7.29.0","7.28.1","7.28.0","7.27.0","7.26.0","7.25.0","7.24.0","7.23.1","7.23.0","7.22.0","7.21.7","7.21.6","7.21.5","7.21.4","7.21.3","7.21.2","7.21.1","7.21.0","7.20.1","7.20.0","7.19.7","7.19.6","7.19.5","7.19.4","7.19.3","7.19.2","7.19.1","7.19.0","7.18.2","7.18.1","7.18.0","7.17.1","7.17.0","7.16.4","7.16.3","7.16.2","7.16.1","7.16.0","7.15.5","7.15.4","7.15.3","7.15.2","7.15.1","7.15.0","7.14.1","7.14.0","7.13.2","7.13.1","7.13.0","7.12.3","7.12.2","7.12.1","7.12.0","7.11.2","7.11.1","7.11.0","7.10.8","7.10.7","7.10.6","7.10.5","7.10.4","7.10.3","7.10.2","7.10.1","7.10","7.9.8","7.9.7","7.9.6","7.9.5","7.9.4","7.9.3","7.9.2","7.9.1","7.9","7.8.1","7.8","7.7.3","7.7.2","7.7.1","7.7","7.6.1","7.6","7.5.2","7.5.1","7.5","7.4.2","7.4.1","7.4","7.3","7.2.1","7.2","7.1.1","7.1","6.5.2","6.5.1","6.5","6.4","6.3.1","6.3","6.2","6.1","6.0","5.11","5.10","5.9.1","5.9","5.8","5.7.1","5.7","5.5.1","5.5","5.4","5.3","5.2.1","5.2","5.0","4.10","4.9"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2022-27774.json","vanir_signatures_modified":"2026-04-25T20:38:40Z","vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["262798673164789283707933144992658655571","308866231090132398685292440602323085659","218522050723843706275844755089268886894","264520732031415029893465386246305891938","255081155225987236107276449708198740332","284005436363395618950898514392141893181","211741044205049447891615805681854674234","54351800868786377349244636123274450135","129082291545665362875453917163240722928","300882766186711943204300492110007687244","2749095879463954182735055111271760536","318801149579964450976615380669653453603"]},"deprecated":false,"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08","target":{"file":"lib/http.c"},"signature_type":"Line","id":"CURL-CVE-2022-27774-11e86c16"},{"digest":{"threshold":0.9,"line_hashes":["15250632038904567710698961259334097946"]},"deprecated":false,"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08","target":{"file":"lib/http.h"},"signature_type":"Line","id":"CURL-CVE-2022-27774-1cd2508b"},{"digest":{"function_hash":"113717808996367900506693577639546427215","length":1362},"deprecated":false,"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08","target":{"file":"lib/http.c","function":"Curl_http_output_auth"},"signature_type":"Function","id":"CURL-CVE-2022-27774-1fcd647d"},{"digest":{"function_hash":"190399237343174196504227025865386127347","length":405},"deprecated":false,"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08","target":{"file":"lib/http.c","function":"allow_auth_to_host"},"signature_type":"Function","id":"CURL-CVE-2022-27774-513de7d8"},{"digest":{"threshold":0.9,"line_hashes":["80671106726207623533248912459284848647","132512223047761870221659524956957668680","84902498036584396934755271190578784048","21709746416974032966101428746434201080"]},"deprecated":false,"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08","target":{"file":"lib/vtls/openssl.c"},"signature_type":"Line","id":"CURL-CVE-2022-27774-d0fbe734"},{"digest":{"function_hash":"306743336370580303272734538044372673413","length":13726},"deprecated":false,"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08","target":{"file":"lib/vtls/openssl.c","function":"ossl_connect_step1"},"signature_type":"Function","id":"CURL-CVE-2022-27774-e2e0038c"}]}}],"schema_version":"1.7.5","credits":[{"name":"Harry Sintonen","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}