{"id":"CURL-CVE-2025-14524","summary":"bearer token leak on cross-protocol redirect","details":"When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer\nperforms a cross-protocol redirect to a second URL that uses an IMAP, LDAP,\nPOP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new\ntarget host.","aliases":["CVE-2025-14524"],"modified":"2026-01-09T05:52:30.742487Z","published":"2026-01-06T08:00:00Z","database_specific":{"issue":"https://hackerone.com/reports/3459417","www":"https://curl.se/docs/CVE-2025-14524.html","last_affected":"8.17.0","affects":"both","CWE":{"id":"CWE-522","desc":"Insufficiently Protected Credentials"},"severity":"Low","URL":"https://curl.se/docs/CVE-2025-14524.json","award":{"currency":"USD","amount":"505"},"package":"curl"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.33.0"},{"fixed":"8.18.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"06c1bea72faabb6fad4b7ef818aafaa336c9a7aa"},{"fixed":"1a822275d333dc6da6043497160fd04c8fa48640"}]}],"versions":["8.17.0","8.16.0","8.15.0","8.14.1","8.14.0","8.13.0","8.12.1","8.12.0","8.11.1","8.11.0","8.10.1","8.10.0","8.9.1","8.9.0","8.8.0","8.7.1","8.7.0","8.6.0","8.5.0","8.4.0","8.3.0","8.2.1","8.2.0","8.1.2","8.1.1","8.1.0","8.0.1","8.0.0","7.88.1","7.88.0","7.87.0","7.86.0","7.85.0","7.84.0","7.83.1","7.83.0","7.82.0","7.81.0","7.80.0","7.79.1","7.79.0","7.78.0","7.77.0","7.76.1","7.76.0","7.75.0","7.74.0","7.73.0","7.72.0","7.71.1","7.71.0","7.70.0","7.69.1","7.69.0","7.68.0","7.67.0","7.66.0","7.65.3","7.65.2","7.65.1","7.65.0","7.64.1","7.64.0","7.63.0","7.62.0","7.61.1","7.61.0","7.60.0","7.59.0","7.58.0","7.57.0","7.56.1","7.56.0","7.55.1","7.55.0","7.54.1","7.54.0","7.53.1","7.53.0","7.52.1","7.52.0","7.51.0","7.50.3","7.50.2","7.50.1","7.50.0","7.49.1","7.49.0","7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0","7.40.0","7.39.0","7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0","7.33.0"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2025-14524.json","vanir_signatures":[{"signature_type":"Line","id":"CURL-CVE-2025-14524-1419737b","source":"https://github.com/curl/curl.git/commit/1a822275d333dc6da6043497160fd04c8fa48640","target":{"file":"lib/curl_sasl.c"},"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["206227627013705818388421116095464280275","146445018200798695659894282886989332010","73137026632638984080970357216391271479","20180869616707082726044560042120516718","297804764287478899455851841748028963067","75500228844593104379061953534717048700","310934647514053912658054552670061024950","120650008394980476833413788340692501428"],"threshold":0.9}},{"signature_type":"Function","id":"CURL-CVE-2025-14524-22368e97","source":"https://github.com/curl/curl.git/commit/1a822275d333dc6da6043497160fd04c8fa48640","target":{"function":"sasl_choose_oauth2","file":"lib/curl_sasl.c"},"signature_version":"v1","deprecated":false,"digest":{"length":489,"function_hash":"208767605308290121900945290777100662394"}},{"signature_type":"Function","id":"CURL-CVE-2025-14524-77b7df11","source":"https://github.com/curl/curl.git/commit/1a822275d333dc6da6043497160fd04c8fa48640","target":{"function":"sasl_choose_oauth","file":"lib/curl_sasl.c"},"signature_version":"v1","deprecated":false,"digest":{"length":633,"function_hash":"191750539846852921826204324538456858850"}}]}}],"schema_version":"1.7.3","credits":[{"name":"anonymous237 on hackerone","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}