Unrated severityOSV Advisory· Published Jan 8, 2026· Updated Apr 2, 2026

bearer token leak on cross-protocol redirect

CVE-2025-14524

Description

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.

Affected products

Curl/CurlOSV2 versions
curl-7_33_0, curl-7_34_0, curl-7_35_0, …+ 1 more
- (no CPE)range: curl-7_33_0, curl-7_34_0, curl-7_35_0, …
- (no CPE)

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

curl.se/docs/CVE-2025-14524.htmlmitre
curl.se/docs/CVE-2025-14524.jsonmitre
hackerone.com/reports/3459417mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000