netrc and redirect credential leak
Description
Curl may leak .netrc passwords during HTTP redirects if the redirect target's netrc entry omits the password.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Curl may leak .netrc passwords during HTTP redirects if the redirect target's netrc entry omits the password.
Vulnerability
When curl is configured to use a .netrc file for credentials and to follow HTTP redirects (e.g., with -L), it can leak the password used for the original host to the followed-to host. This occurs if the netrc file has an entry matching the redirect target hostname but that entry omits only the password or omits both login and password. Affected versions are curl 7.76.0 through 8.11.0 inclusive; versions before 7.76.0 and 8.11.1 and later are not affected [1].
Exploitation
The attacker must control a redirect from a host for which the user has a netrc entry with a password to a host whose netrc entry lacks a password (or both login and password). The user must be using curl with --netrc (or --netrc-file) and follow redirects (e.g., -L). The attacker could be the owner of the redirect target or be in a position to perform a man-in-the-middle attack. No authentication is needed; the user's curl automatically sends the leaked password [1].
Impact
Successful exploitation results in disclosure of the password for the original host to the redirect target host. An attacker obtaining this password could gain unauthorized access to the original host using the victim's credentials. The confidentiality of the password is compromised [1].
Mitigation
Upgrade to curl 8.11.1 or apply the patches referenced in the advisory (commits e9b9bbac22c26cf6731, 9fce2c55d4b0273ac99, and 9bee39bfed2c413b4cc). The fix ensures that when a netrc entry lacks a password for the redirect target, the password from the original request is not reused. If upgrading is not immediately possible, avoid using .netrc together with redirect following, or ensure all redirect targets have complete netrc entries (including password) [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
42- osv-coords40 versionspkg:apk/chainguard/curlpkg:apk/chainguard/curl-devpkg:apk/chainguard/curl-docpkg:apk/chainguard/curl-oci-entrypointpkg:apk/chainguard/curl-staticpkg:apk/chainguard/libcurl4pkg:apk/chainguard/libcurl-openssl4pkg:apk/wolfi/curlpkg:apk/wolfi/curl-devpkg:apk/wolfi/curl-docpkg:apk/wolfi/curl-oci-entrypointpkg:apk/wolfi/curl-staticpkg:apk/wolfi/libcurl4pkg:apk/wolfi/libcurl-openssl4pkg:rpm/almalinux/mecabpkg:rpm/almalinux/mecab-develpkg:rpm/almalinux/mecab-ipadicpkg:rpm/almalinux/mecab-ipadic-EUCJPpkg:rpm/almalinux/mysqlpkg:rpm/almalinux/mysql-commonpkg:rpm/almalinux/mysql-develpkg:rpm/almalinux/mysql-errmsgpkg:rpm/almalinux/mysql-libspkg:rpm/almalinux/mysql-serverpkg:rpm/almalinux/mysql-testpkg:rpm/opensuse/curl&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/curl&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/curl&distro=openSUSE%20Leap%20Micro%205.5pkg:rpm/opensuse/curl&distro=openSUSE%20Tumbleweedpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Installer%20Updates%2015%20SP5pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/curl&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/curl&distro=SUSE%20Linux%20Micro%206.1
< 8.11.1-r0+ 39 more
- (no CPE)range: < 8.11.1-r0
- (no CPE)range: < 8.11.1-r0
- (no CPE)range: < 8.11.1-r0
- (no CPE)range: < 8.11.1-r0
- (no CPE)range: < 8.11.1-r0
- (no CPE)range: < 8.11.1-r0
- (no CPE)range: < 8.11.1-r0
- (no CPE)range: < 8.11.1-r0
- (no CPE)range: < 8.11.1-r0
- (no CPE)range: < 8.11.1-r0
- (no CPE)range: < 8.11.1-r0
- (no CPE)range: < 8.11.1-r0
- (no CPE)range: < 8.11.1-r0
- (no CPE)range: < 8.11.1-r0
- (no CPE)range: < 0.996-2.module_el8.10.0+3965+b415b607
- (no CPE)range: < 0.996-2.module_el8.10.0+3965+b415b607
- (no CPE)range: < 2.7.0.20070801-17.module_el8.10.0+3965+b415b607
- (no CPE)range: < 2.7.0.20070801-17.module_el8.10.0+3965+b415b607
- (no CPE)range: < 8.0.41-2.el9_5
- (no CPE)range: < 8.0.41-2.el9_5
- (no CPE)range: < 8.0.41-2.el9_5
- (no CPE)range: < 8.0.41-2.el9_5
- (no CPE)range: < 8.0.41-2.el9_5
- (no CPE)range: < 8.0.41-2.el9_5
- (no CPE)range: < 8.0.41-2.el9_5
- (no CPE)range: < 8.0.1-150400.5.59.1
- (no CPE)range: < 8.6.0-150600.4.15.1
- (no CPE)range: < 8.0.1-150400.5.59.1
- (no CPE)range: < 8.11.1-1.1
- (no CPE)range: < 8.0.1-150400.5.59.1
- (no CPE)range: < 7.66.0-150200.4.81.1
- (no CPE)range: < 7.66.0-150200.4.81.1
- (no CPE)range: < 8.0.1-150400.5.59.1
- (no CPE)range: < 8.0.1-150400.5.59.1
- (no CPE)range: < 8.0.1-150400.5.59.1
- (no CPE)range: < 8.0.1-150400.5.59.1
- (no CPE)range: < 8.6.0-150600.4.15.1
- (no CPE)range: < 8.0.1-11.101.1
- (no CPE)range: < 8.6.0-5.1
- (no CPE)range: < 8.12.1-slfo.1.1_1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
3News mentions
0No linked articles in our index yet.