CVE-2025-0167 — Alpine Security Tracker

CVE-2025-0167

Name

CVE-2025-0167

Description

When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

References

Type	URI
2499f714-1537-4658-8207-48ae4bb9eae9	https://curl.se/docs/CVE-2025-0167.html
2499f714-1537-4658-8207-48ae4bb9eae9	https://curl.se/docs/CVE-2025-0167.json
2499f714-1537-4658-8207-48ae4bb9eae9	https://hackerone.com/reports/2917232
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20250306-0008/

Type

URI

2499f714-1537-4658-8207-48ae4bb9eae9

https://curl.se/docs/CVE-2025-0167.html

2499f714-1537-4658-8207-48ae4bb9eae9

https://curl.se/docs/CVE-2025-0167.json

2499f714-1537-4658-8207-48ae4bb9eae9

https://hackerone.com/reports/2917232

af854a3a-2127-422b-91ae-364da2661108

https://security.netapp.com/advisory/ntap-20250306-0008/

Match rules

Source package	Min version	Max version
curl	>= 0	<= 8.11.1
curl	>= 0	<= 8.11.0
curl	>= 0	<= 8.10.1
curl	>= 0	<= 8.10.0
curl	>= 0	<= 8.9.1
curl	>= 0	<= 8.9.0
curl	>= 0	<= 8.8.0
curl	>= 0	<= 8.7.1
curl	>= 0	<= 8.7.0
curl	>= 0	<= 8.6.0
curl	>= 0	<= 8.5.0
curl	>= 0	<= 8.4.0
curl	>= 0	<= 8.3.0
curl	>= 0	<= 8.2.1
curl	>= 0	<= 8.2.0
curl	>= 0	<= 8.1.2
curl	>= 0	<= 8.1.1
curl	>= 0	<= 8.1.0
curl	>= 0	<= 8.0.1
curl	>= 0	<= 8.0.0
curl	>= 0	<= 7.88.1
curl	>= 0	<= 7.88.0
curl	>= 0	<= 7.87.0
curl	>= 0	<= 7.86.0
curl	>= 0	<= 7.85.0
curl	>= 0	<= 7.84.0
curl	>= 0	<= 7.83.1
curl	>= 0	<= 7.83.0
curl	>= 0	<= 7.82.0
curl	>= 0	<= 7.81.0
curl	>= 0	<= 7.80.0
curl	>= 0	<= 7.79.1
curl	>= 0	<= 7.79.0
curl	>= 0	<= 7.78.0
curl	>= 0	<= 7.77.0
curl	>= 0	<= 7.76.1
curl	>= 0	<= 7.76.0

CPE URI

Source package

Min version

Max version

curl

>= 0

<= 8.11.1

curl

>= 0

<= 8.11.0

curl

>= 0

<= 8.10.1

curl

>= 0

<= 8.10.0

curl

>= 0

<= 8.9.1

curl

>= 0

<= 8.9.0

curl

>= 0

<= 8.8.0

curl

>= 0

<= 8.7.1

curl

>= 0

<= 8.7.0

curl

>= 0

<= 8.6.0

curl

>= 0

<= 8.5.0

curl

>= 0

<= 8.4.0

curl

>= 0

<= 8.3.0

curl

>= 0

<= 8.2.1

curl

>= 0

<= 8.2.0

curl

>= 0

<= 8.1.2

curl

>= 0

<= 8.1.1

curl

>= 0

<= 8.1.0

curl

>= 0

<= 8.0.1

curl

>= 0

<= 8.0.0

curl

>= 0

<= 7.88.1

curl

>= 0

<= 7.88.0

curl

>= 0

<= 7.87.0

curl

>= 0

<= 7.86.0

curl

>= 0

<= 7.85.0

curl

>= 0

<= 7.84.0

curl

>= 0

<= 7.83.1

curl

>= 0

<= 7.83.0

curl

>= 0

<= 7.82.0

curl

>= 0

<= 7.81.0

curl

>= 0

<= 7.80.0

curl

>= 0

<= 7.79.1

curl

>= 0

<= 7.79.0

curl

>= 0

<= 7.78.0

curl

>= 0

<= 7.77.0

curl

>= 0

<= 7.76.1

curl

>= 0

<= 7.76.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
curl	edge-main	8.12.0-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
curl	edge-main	8.11.0-r2	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
curl	edge-main	8.11.1-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
curl	edge-main	8.11.1-r1	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
curl	3.21-main	8.12.0-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
curl	3.20-main	8.12.0-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
curl	3.19-main	8.12.0-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
curl	3.18-main	8.12.0-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed

Source package

Branch

Version

Maintainer

Status

curl

edge-main

8.12.0-r0

Natanael Copa <ncopa@alpinelinux.org>

fixed

curl

edge-main