netrc and default credential leak

Vulnerability

Curl versions 7.76.0 through 8.11.1 inclusive are affected. When libcurl is configured to use a .netrc file for credentials and also to follow HTTP redirects, a specific misconfiguration allows password leakage. The flaw only occurs if the .netrc file contains a default entry that omits both login and password. Under normal operation, a default entry without credentials is used to skip authentication for unknown hosts; however, due to a logic error, the password from a preceding machine entry can be inherited and sent to the redirect target [1].

Exploitation

An attacker must control a server that receives a redirect from an initial host for which the .netrc file has a valid machine entry with credentials. The .netrc file must also have a default entry with no login and password. The attacker triggers the redirect (e.g., via a crafted response), and curllib sends the password from the first host to the second, potentially exposing it to the attacker-controlled server [1].

Impact

Successful exploitation leads to disclosure of the password used for the first host to a different host, violating the intended isolation between netrc entries. This is classified as CWE-200: Exposure of Sensitive Information to an Unauthorized Actor. The severity is low because the required netrc misconfiguration is rare, and the attacker must already be in a position to control a redirect target [1].

Mitigation

Upgrade to curl version 8.12.0 or later. For versions prior to 8.11.0, apply the patches referenced in the advisory; additionally, commit 9bee39b is required for proper fix functionality in version 8.11.0. A workaround is to avoid using .netrc with redirects, or ensure no default entry exists with missing login and password [1].