CVE-2025-0167

Name
CVE-2025-0167
Description
When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance.
NVD Severity
unknown
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
2499f714-1537-4658-8207-48ae4bb9eae9 https://curl.se/docs/CVE-2025-0167.html
2499f714-1537-4658-8207-48ae4bb9eae9 https://curl.se/docs/CVE-2025-0167.json
2499f714-1537-4658-8207-48ae4bb9eae9 https://hackerone.com/reports/2917232
af854a3a-2127-422b-91ae-364da2661108 https://security.netapp.com/advisory/ntap-20250306-0008/

Match rules

CPE URI Source package Min version Max version
curl >= 0 <= 8.11.1
curl >= 0 <= 8.11.0
curl >= 0 <= 8.10.1
curl >= 0 <= 8.10.0
curl >= 0 <= 8.9.1
curl >= 0 <= 8.9.0
curl >= 0 <= 8.8.0
curl >= 0 <= 8.7.1
curl >= 0 <= 8.7.0
curl >= 0 <= 8.6.0
curl >= 0 <= 8.5.0
curl >= 0 <= 8.4.0
curl >= 0 <= 8.3.0
curl >= 0 <= 8.2.1
curl >= 0 <= 8.2.0
curl >= 0 <= 8.1.2
curl >= 0 <= 8.1.1
curl >= 0 <= 8.1.0
curl >= 0 <= 8.0.1
curl >= 0 <= 8.0.0
curl >= 0 <= 7.88.1
curl >= 0 <= 7.88.0
curl >= 0 <= 7.87.0
curl >= 0 <= 7.86.0
curl >= 0 <= 7.85.0
curl >= 0 <= 7.84.0
curl >= 0 <= 7.83.1
curl >= 0 <= 7.83.0
curl >= 0 <= 7.82.0
curl >= 0 <= 7.81.0
curl >= 0 <= 7.80.0
curl >= 0 <= 7.79.1
curl >= 0 <= 7.79.0
curl >= 0 <= 7.78.0
curl >= 0 <= 7.77.0
curl >= 0 <= 7.76.1
curl >= 0 <= 7.76.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
curl edge-main 8.12.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl edge-main 8.11.0-r2 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
curl edge-main 8.11.1-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
curl edge-main 8.11.1-r1 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable
curl 3.21-main 8.12.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl 3.20-main 8.12.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl 3.19-main 8.12.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
curl 3.18-main 8.12.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed