{"id":"CURL-CVE-2025-0167","summary":"netrc and default credential leak","details":"When asked to use a `.netrc` file for credentials **and** to follow HTTP\nredirects, curl could leak the password used for the first host to the\nfollowed-to host under certain circumstances.\n\nThis flaw only manifests itself if the netrc file has a `default` entry that\nomits both login and password. A rare circumstance.","aliases":["CVE-2025-0167"],"modified":"2025-11-05T13:56:14Z","published":"2025-02-05T08:00:00Z","database_specific":{"URL":"https://curl.se/docs/CVE-2025-0167.json","award":{"amount":"505","currency":"USD"},"last_affected":"8.11.1","www":"https://curl.se/docs/CVE-2025-0167.html","issue":"https://hackerone.com/reports/2917232","affects":"both","CWE":{"desc":"Exposure of Sensitive Information to an Unauthorized Actor","id":"CWE-200"},"package":"curl","severity":"Low"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.76.0"},{"fixed":"8.12.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"46620b97431e19c53ce82e55055c85830f088cf4"},{"fixed":"0e120c5b925e8ca75d5319e319e5ce4b8080d8eb"}]}],"versions":["8.11.1","8.11.0","8.10.1","8.10.0","8.9.1","8.9.0","8.8.0","8.7.1","8.7.0","8.6.0","8.5.0","8.4.0","8.3.0","8.2.1","8.2.0","8.1.2","8.1.1","8.1.0","8.0.1","8.0.0","7.88.1","7.88.0","7.87.0","7.86.0","7.85.0","7.84.0","7.83.1","7.83.0","7.82.0","7.81.0","7.80.0","7.79.1","7.79.0","7.78.0","7.77.0","7.76.1","7.76.0"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2025-0167.json","vanir_signatures":[{"deprecated":false,"target":{"file":"lib/netrc.c"},"source":"https://github.com/curl/curl.git/commit/0e120c5b925e8ca75d5319e319e5ce4b8080d8eb","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["20458848727035232539463676160844715969","90706272737080507433274527716916664546","16917327258350909374225622337481945083","95294599251604326993271975417061449667","69955327080921055285093850767477732234","68948961411026234800199585682669406206","191585321479983056735666444989778000369"]},"id":"CURL-CVE-2025-0167-15d6fd1f","signature_type":"Line"},{"deprecated":false,"target":{"function":"parsenetrc","file":"lib/netrc.c"},"source":"https://github.com/curl/curl.git/commit/0e120c5b925e8ca75d5319e319e5ce4b8080d8eb","signature_version":"v1","digest":{"length":3446,"function_hash":"7801934723948004267281319048702801809"},"id":"CURL-CVE-2025-0167-9ba894d6","signature_type":"Function"}]}}],"schema_version":"1.7.3","credits":[{"name":"Yihang Zhou","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}