CVE-2025-0167
Published: February 7, 2025Last modified: September 22, 2025
Description
When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 3.4 |
| Attack Vector | NETWORK |
| Attack complexity | HIGH |
| Privileges required | NONE |
| User interaction | REQUIRED |
| Scope | CHANGED |
| Confidentiality | LOW |
| Integrity impact | NONE |
| Availability impact | NONE |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N |
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | curl | Fixed (8.9.1-r2) |
| Stream | curl | Fixed (8.12.0-r0) |