VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 1, 2021· Updated Jun 9, 2025

CVE-2021-22876

CVE-2021-22876

Description

curl/libcurl leaks credentials in Referer header when CURLOPT_AUTOREFERER is set, fixed in 7.76.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

curl/libcurl leaks credentials in Referer header when CURLOPT_AUTOREFERER is set, fixed in 7.76.0.

Vulnerability

libcurl versions 7.1.1 through 7.75.0, when the CURLOPT_AUTOREFERER option is enabled, automatically populate the Referer: HTTP request header with the full URL of the previous request, including any embedded user credentials (e.g., https://user:pass@example.com/). This affects both libcurl and the curl tool when using --referer ";auto". The credentials are not stripped before setting the header, leading to potential exposure [1].

Exploitation

An attacker must control a target server that the vulnerable client (with CURLOPT_AUTOREFERER enabled) makes a subsequent HTTP request to, after having made a prior request to a URL containing credentials. The Referer: header in the second request will contain the full URL of the first request, including the credentials, thus leaking them to the attacker-controlled server [1].

Impact

Successful exploitation results in the disclosure of sensitive user credentials (username and password) from the URL to an unauthorized third-party server. This can lead to unauthorized access to resources that the credentials protect [1].

Mitigation

Upgrade to curl 7.76.0, which fixes the issue by blanking out credentials from the URL before using it to populate the Referer: header [1]. Alternatively, apply the provided patch to local installations, avoid using CURLOPT_AUTOREFERER or --referer ";auto", or supply credentials via CURLOPT_USERPWD or -u instead of embedding them in the URL [1].

References
  1. curl - Automatic referer leaks credentials

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

33

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

10

News mentions

0

No linked articles in our index yet.