curl Leaks Netrc Password to Redirected Host
CVE-2025-0167 Published on February 5, 2025

netrc and default credential leak
When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance.

NVD

Vulnerability Analysis

CVE-2025-0167 can be exploited with network access, requires user interaction. This vulnerability is consided to have a high level of attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2025-0167. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.

Attack Vector:

NETWORK

Attack Complexity:

HIGH

Privileges Required:

NONE

User Interaction:

REQUIRED

Scope:

CHANGED

Confidentiality Impact:

LOW

Integrity Impact:

NONE

Availability Impact:

NONE

Products Associated with CVE-2025-0167

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-0167 are published in these products:

Haxx Curl

NetApp Element Software

NetApp Ontap Select Deploy Administration Utility

NetApp Solidfire Hci Management Node

NetApp Solidfire Hci Storage Node

NetApp Ontap

NetApp Ontap Tools

Affected Versions

curl:

Version 8.11.1, <= 8.11.1 is affected.
Version 8.11.0, <= 8.11.0 is affected.
Version 8.10.1, <= 8.10.1 is affected.
Version 8.10.0, <= 8.10.0 is affected.
Version 8.9.1, <= 8.9.1 is affected.
Version 8.9.0, <= 8.9.0 is affected.
Version 8.8.0, <= 8.8.0 is affected.
Version 8.7.1, <= 8.7.1 is affected.
Version 8.7.0, <= 8.7.0 is affected.
Version 8.6.0, <= 8.6.0 is affected.
Version 8.5.0, <= 8.5.0 is affected.
Version 8.4.0, <= 8.4.0 is affected.
Version 8.3.0, <= 8.3.0 is affected.
Version 8.2.1, <= 8.2.1 is affected.
Version 8.2.0, <= 8.2.0 is affected.
Version 8.1.2, <= 8.1.2 is affected.
Version 8.1.1, <= 8.1.1 is affected.
Version 8.1.0, <= 8.1.0 is affected.
Version 8.0.1, <= 8.0.1 is affected.
Version 8.0.0, <= 8.0.0 is affected.
Version 7.88.1, <= 7.88.1 is affected.
Version 7.88.0, <= 7.88.0 is affected.
Version 7.87.0, <= 7.87.0 is affected.
Version 7.86.0, <= 7.86.0 is affected.
Version 7.85.0, <= 7.85.0 is affected.
Version 7.84.0, <= 7.84.0 is affected.
Version 7.83.1, <= 7.83.1 is affected.
Version 7.83.0, <= 7.83.0 is affected.
Version 7.82.0, <= 7.82.0 is affected.
Version 7.81.0, <= 7.81.0 is affected.
Version 7.80.0, <= 7.80.0 is affected.
Version 7.79.1, <= 7.79.1 is affected.
Version 7.79.0, <= 7.79.0 is affected.
Version 7.78.0, <= 7.78.0 is affected.
Version 7.77.0, <= 7.77.0 is affected.
Version 7.76.1, <= 7.76.1 is affected.
Version 7.76.0, <= 7.76.0 is affected.

Exploit Probability

EPSS

0.17%

Percentile

38.72%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

curl Leaks Netrc Password to Redirected HostCVE-2025-0167 Published on February 5, 2025

Vulnerability Analysis

Products Associated with CVE-2025-0167

Affected Versions

Exploit Probability

curl Leaks Netrc Password to Redirected Host
CVE-2025-0167 Published on February 5, 2025