CVE-2025-0167: Curl's Rare Credential Leak - How the Combination of .netrc Default and HTTP Redirects Leads to Password Exposure

Curl is a widely used command-line tool for transferring data over a myriad of network protocols. It's also a library that many developers use to handle HTTP requests in their applications. Recently, a subtle yet critical vulnerability was discovered, identified as CVE-2025-0167. Under specific conditions, Curl could unintentionally leak the password used for the initial host to the followed-to host during HTTP redirects.

In this post, we'll take an in-depth look at this vulnerability, provide code snippets for demonstration purposes, and link to original references on this topic. Moreover, we will discuss the specific exploit details and how to mitigate the issue.

The Vulnerability

This security flaw only occurs when Curl is instructed to both use a .netrc file for credentials and follow HTTP redirects. The issue comes into play when the given .netrc file contains a default entry that omits both login and password. Though this may seem quite rare, it's essential to be aware of the potential risks.

Here's an example of a .netrc file with a default entry without a login and password

machine example.com login myuser password mypassword
default

If Curl tries to access a URL on the example.com domain, it will find and use the provided credentials to authenticate. However, if the file has the default entry without any login and password information, and the URL redirects to another host (e.g., example2.com), Curl will now leak the password used for the first host to the followed-to host under these specific conditions.

Exploit Details

The primary requirement for this exploit to happen is having a .netrc file with a default entry missing the login and password fields.

Suppose an attacker sets up a website that causes a redirect to another domain. In that case, if the target's Curl script has the mentioned .netrc file configuration and the script is instructed to follow redirects, the attacker can capture the target's password when it's unintentionally leaked by Curl during the redirect process.

Here's a sample Curl command that could potentially expose the vulnerability

curl -L --netrc-file ./.netrc https://example.com/redirect

In this command, -L instructs Curl to follow redirects, while --netrc-file provides the .netrc file with the credentials.

Mitigation

Curl's developers have released a patch that fixes this issue in version 7.81.. If you use Curl as a command-line tool or incorporate it as a library in your project, it's crucial to update to this version or later to eliminate the risk of this vulnerability.

Upgrading the Curl command-line tool can usually be accomplished with a simple system package manager update. For example, on Debian-based systems, you can run:

sudo apt-get update && sudo apt-get upgrade curl

Similarly, for developers using the libcurl library, make sure to update to version 7.81. or later, and update your dependencies accordingly.

Conclusion

The CVE-2025-0167 is a unique case with a limited scope of potential exploitation; nonetheless, it’s important to be aware of this vulnerability and take necessary actions, as demonstrated in this post. By verifying and reconfiguring the content in your .netrc files and updating your curl version, you can ensure the security of your data transfers with Curl.

References

1. The original Curl advisory discussing the vulnerability: https://curl.se/docs/CVE-2025-0167.html
2. The Curl repository on GitHub, containing the latest versions and patches: https://github.com/curl/curl
3. The Curl Developer Mailing list archive, including details on the discovery of this issue: https://curl.se/mail/lib-2025-07/0022.html

Timeline

Published on: 02/05/2025 10:15:22 UTC
Last modified on: 02/06/2025 15:15:16 UTC