CVE-2018-1000007

Vulnerability

In libcurl versions 7.1 through 7.57.0, when an application sets custom HTTP headers (including Authorization headers) and enables automatic redirection following, the headers are sent not only to the initial host but also to any host specified in a Location: header during a 30x redirect. This behavior leaks potentially sensitive authentication data to unintended third parties [1][2].

Exploitation

An attacker needs only to control a URL that the libcurl-using client follows or to have a redirect chain that points to a server under the attacker's control. The client must be configured to follow HTTP redirects (via CURLOPT_FOLLOWLOCATION) and to send custom headers (e.g., via CURLOPT_HTTPHEADER). The attacker receives the leaked headers in the incoming request, including any Authorization header [2].

Impact

Successful exploitation results in the disclosure of sensitive authentication data—such as bearer tokens, basic authentication credentials, or other custom authentication information—to a third-party server. This can lead to impersonation of the client or unauthorized access to protected resources [1][2].

Mitigation

A fix was introduced in libcurl version 7.58.0 [2]. Red Hat backported the fix to httpd24-curl in RHSA-2018:3558 and to curl in RHSA-2018:3157, RHSA-2020:0544, and RHSA-2020:0594 [1][2][3][4]. Users should update to the patched version or avoid sending sensitive custom headers in combination with automatic redirect following.