CVE-2025-0167

9 documents8 sources
Severity
3.4LOW
EPSS
0.3%
top 43.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Haxx CurlCurl CurlNetapp Ontap+1 more
Timeline
PublishedFeb 5
Latest updateMar 11

Description

When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:NExploitability: 1.6 | Impact: 1.4

Affected Packages4 packages

NVDhaxx/curl7.76.08.12.0
Alpinecurl< 8.12.0-r0+5
Debiancurl< 7.88.1-10+deb12u11+2
CVEListV5curl/curl8.11.18.11.1+36

Also affects: Ontap 9, Ontap Tools 9

🔴Vulnerability Details

4
GHSA
GHSA-c42g-rmxf-64ch: When asked to use a `2025-02-05
OSV
CVE-2025-0167: When asked to use a `2025-02-05
OSV
CVE-2025-0167: When asked to use a `2025-02-05
CVEList
netrc and default credential leak2025-02-05

📋Vendor Advisories

3
Ubuntu
curl vulnerabilities2026-03-11
Microsoft
netrc and default credential leak2025-02-11
Debian
CVE-2025-0167: curl - When asked to use a `.netrc` file for credentials **and** to follow HTTP redirec...2025

💬Community

1
HackerOne
CVE-2025-0167: netrc and default credential leak2025-02-07
CVE-2025-0167 (LOW CVSS 3.4) | When asked to use a `.netrc` file f | cvebase.io