CVE-2020-8169
Description
curl 7.62.0 through 7.70.0 leaks part of HTTP authentication password to DNS servers when following a relative redirect.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
curl 7.62.0 through 7.70.0 leaks part of HTTP authentication password to DNS servers when following a relative redirect.
Vulnerability
In curl versions 7.62.0 through 7.70.0, libcurl fails to URL-encode credentials set via CURLOPT_USERPWD, CURLOPT_USERNAME, or CURLOPT_PASSWORD options. When a relative HTTP redirect (a Location header with a relative path) is followed, curl constructs a full URL by combining components. Because the credentials are not URL-encoded, the subsequent re-parsing of the URL incorrectly treats a portion of the password as part of the hostname. This partial password is then included in DNS queries and transmitted over the network [1].
Exploitation
An attacker must control a server that sends a relative redirect to a client using an affected curl version. The client must have HTTP authentication credentials set via the curl_easy_setopt options (not embedded in the URL). The attacker can then observe DNS queries or network traffic to capture the leaked portion of the password [1].
Impact
A partial password is disclosed to DNS servers and any network observer. This information disclosure reduces the effective password entropy and may aid in further attacks, such as brute-forcing the remaining characters [1].
Mitigation
The vulnerability is fixed in curl version 7.71.0, released on June 24, 2020. Users should upgrade to curl 7.71.0 or later. No workaround is available for affected versions [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6- curl/curldescription
- osv-coords4 versionspkg:rpm/opensuse/curl&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/curl&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/curl-mini&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2
< 7.66.0-lp152.3.3.1+ 3 more
- (no CPE)range: < 7.66.0-lp152.3.3.1
- (no CPE)range: < 7.79.1-1.1
- (no CPE)range: < 7.66.0-lp152.3.3.1
- (no CPE)range: < 7.66.0-4.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
5- www.debian.org/security/2021/dsa-4881mitrevendor-advisoryx_refsource_DEBIAN
- cert-portal.siemens.com/productcert/pdf/ssa-200951.pdfmitrex_refsource_CONFIRM
- cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfmitrex_refsource_CONFIRM
- curl.se/docs/CVE-2020-8169.htmlmitrex_refsource_MISC
- hackerone.com/reports/874778mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.