CVE-2025-14524
published 2026-01-08CVE-2025-14524: When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3…
PriorityP424medium5.3CVSS 3.1
AVNACHPRNUIRSUCHINAN
EPSS
0.02%
6.6th percentile
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer
performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP,
POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new
target host.
Affected
117 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| curl | curl | 7.33.0 – 7.33.0 | — |
| curl | curl | 7.34.0 – 7.34.0 | — |
| curl | curl | 7.35.0 – 7.35.0 | — |
| curl | curl | 7.36.0 – 7.36.0 | — |
| curl | curl | 7.37.0 – 7.37.0 | — |
| curl | curl | 7.37.1 – 7.37.1 | — |
| curl | curl | 7.38.0 – 7.38.0 | — |
| curl | curl | 7.39.0 – 7.39.0 | — |
| curl | curl | 7.40.0 – 7.40.0 | — |
| curl | curl | 7.41.0 – 7.41.0 | — |
| curl | curl | 7.42.0 – 7.42.0 | — |
| curl | curl | 7.42.1 – 7.42.1 | — |
| curl | curl | 7.43.0 – 7.43.0 | — |
| curl | curl | 7.44.0 – 7.44.0 | — |
| curl | curl | 7.45.0 – 7.45.0 | — |
| curl | curl | 7.46.0 – 7.46.0 | — |
| curl | curl | 7.47.0 – 7.47.0 | — |
| curl | curl | 7.47.1 – 7.47.1 | — |
| curl | curl | 7.48.0 – 7.48.0 | — |
| curl | curl | 7.49.0 – 7.49.0 | — |
| curl | curl | 7.49.1 – 7.49.1 | — |
| curl | curl | 7.50.0 – 7.50.0 | — |
| curl | curl | 7.50.1 – 7.50.1 | — |
| curl | curl | 7.50.2 – 7.50.2 | — |
| curl | curl | 7.50.3 – 7.50.3 | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
osv5.3MEDIUM
vendor_debian5.3MEDIUM
vendor_redhat5.3MEDIUM
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
cURL up to 8.17.0 Bearer Token redirect (1a822275d333dc6da6043497160fd / Nessus ID 282306)
vuldb·2026-05-03·CVSS 5.3
CVE-2025-14524 [MEDIUM] cURL up to 8.17.0 Bearer Token redirect (1a822275d333dc6da6043497160fd / Nessus ID 282306)
A vulnerability, which was classified as problematic, was found in cURL up to 8.17.0. This affects an unknown part of the component Bearer Token Handler. Executing a manipulation can lead to open redirect.
This vulnerability is registered as CVE-2025-14524. It is possible to launch the attack remotely. No exploit is available.
You should upgrade the affected component.
OSV
curl vulnerabilities
osv·2026-03-03·CVSS 5.3
CVE-2025-14017 [MEDIUM] curl vulnerabilities
curl vulnerabilities
USN-8062-1 fixed vulnerabilities in curl. This update provides the
corresponding update for CVE-2025-14017, CVE-2025-15079, and CVE-2025-15224
for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04
LTS.
Original advisory details:
It was discovered that curl incorrectly handled cookies when redirected
from secure to insecure connections. An attacker could possibly use this
issue to cause a denial of service, or obtain sensitive information.
This issue only affected Ubuntu 25.10. (CVE-2025-9086)
Calvin Ruocco discovered that curl did not properly handle WebSocket
communications under certain circumstances. A malicious server could
possibly use this issue to poison proxy caches with malicious content.
This issue only affected Ubuntu 24.04 LTS and U
OSV
curl vulnerabilities
osv·2026-02-25·CVSS 5.3
CVE-2025-9086 [MEDIUM] curl vulnerabilities
curl vulnerabilities
It was discovered that curl incorrectly handled cookies when redirected
from secure to insecure connections. An attacker could possibly use this
issue to cause a denial of service, or obtain sensitive information.
This issue only affected Ubuntu 25.10. (CVE-2025-9086)
Calvin Ruocco discovered that curl did not properly handle WebSocket
communications under certain circumstances. A malicious server could
possibly use this issue to poison proxy caches with malicious content.
This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.10.
(CVE-2025-10148)
Stanislav Fort discovered that wcurl did not properly handle URLs with
certain encoded characters. If a user were tricked into processing
a specially crafted URL, an attacker could possibly use this issue to
write files o
GHSA
GHSA-g897-jvjx-78vg: When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer
performs a cross-protocol redirect to a second URL that uses an IMAP, L
ghsa_unreviewed·2026-01-08
CVE-2025-14524 [MEDIUM] CWE-601 GHSA-g897-jvjx-78vg: When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer
performs a cross-protocol redirect to a second URL that uses an IMAP, L
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer
performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP,
POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new
target host.
OSV
CVE-2025-14524: When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, L
osv·2026-01-08·CVSS 5.3
CVE-2025-14524 [MEDIUM] CVE-2025-14524: When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, L
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.
Ubuntu
curl vulnerabilities
vendor_ubuntu·2026-03-03·CVSS 5.3
CVE-2025-15224 [MEDIUM] curl vulnerabilities
Title: curl vulnerabilities
Summary: Several security issues were fixed in curl.
USN-8062-1 fixed vulnerabilities in curl. This update provides the
corresponding update for CVE-2025-14017, CVE-2025-15079, and CVE-2025-15224
for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04
LTS.
Original advisory details:
It was discovered that curl incorrectly handled cookies when redirected
from secure to insecure connections. An attacker could possibly use this
issue to cause a denial of service, or obtain sensitive information.
This issue only affected Ubuntu 25.10. (CVE-2025-9086)
Calvin Ruocco discovered that curl did not properly handle WebSocket
communications under certain circumstances. A malicious server could
possibly use this issue to poison proxy caches with malic
Ubuntu
curl vulnerabilities
vendor_ubuntu·2026-02-25·CVSS 5.3
CVE-2025-13034 [MEDIUM] curl vulnerabilities
Title: curl vulnerabilities
Summary: Several security issues were fixed in curl.
It was discovered that curl incorrectly handled cookies when redirected
from secure to insecure connections. An attacker could possibly use this
issue to cause a denial of service, or obtain sensitive information.
This issue only affected Ubuntu 25.10. (CVE-2025-9086)
Calvin Ruocco discovered that curl did not properly handle WebSocket
communications under certain circumstances. A malicious server could
possibly use this issue to poison proxy caches with malicious content.
This issue only affected Ubuntu 24.04 LTS and Ubuntu 25.10.
(CVE-2025-10148)
Stanislav Fort discovered that wcurl did not properly handle URLs with
certain encoded characters. If a user were tricked into processing
a specially crafted UR
Red Hat
curl: Information disclosure via cross-protocol redirect with OAuth2 bearer token
vendor_redhat·2026-01-07·CVSS 5.3
CVE-2025-14524 [MEDIUM] CWE-201 curl: Information disclosure via cross-protocol redirect with OAuth2 bearer token
curl: Information disclosure via cross-protocol redirect with OAuth2 bearer token
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer
performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP,
POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new
target host.
A flaw was found in curl. When an OAuth2 (Open Authorization) bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a different scheme like IMAP, LDAP, POP3, or SMTP, curl might incorrectly pass the bearer token to the new target host. This could lead to information disclosure, where sensitive authentication tokens are exposed to unintended recipients.
Statement: This vulnerability is rated Moderate for Red Hat because
Debian
CVE-2025-14524: curl - When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer p...
vendor_debian·2025·CVSS 5.3
CVE-2025-14524 [MEDIUM] CVE-2025-14524: curl - When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer p...
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 8.18.0~rc2-1)
sid: resolved (fixed in 8.18.0~rc2-1)
trixie: open
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-14524 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-14524 [MEDIUM] CVE-2025-14524 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14524 :
cURL vulnerability analysis and mitigation
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer
performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP,
POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new
target host.
Source : NVD
## 5.3
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
cURL
Alma Linux
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
libcurl-devel-32bit
curl-zsh-completion
Sources
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21 Severity MEDI
HackerOne
CVE-2026-3783: token leak with redirect and netrc
hackerone·2026-03-11·CVSS 5.3
CVE-2026-3783 [MEDIUM] CVE-2026-3783: token leak with redirect and netrc
CVE-2026-3783: token leak with redirect and netrc
##Summary
When `--oauth2-bearer` is used with `--netrc` and curl follows a redirect, the bearer token leaks to the redirect target. The netrc bypass at `http.c:822` skips `Curl_auth_allowed_to_host()`, allowing the token through. This is an incomplete fix for CVE-2025-14524 — the Dec 2025 SASL fix patched `curl_sasl.c` but missed the HTTP bearer path.
This is an incomplete fix for the same vulnerability class as CVE-2025-14524. The Dec 2025 SASL bearer fix (commit `1a822275d3`, PR #19933) patched `lib/curl_sasl.c` but left the HTTP bearer path at `lib/http.c:704-714` unprotected.
## Version
curl 8.10.1 (confirmed), also present in current master `d9c2c64337`. All versions supporting `--oauth2-bearer` with `--netrc` are affected.
**The n
HackerOne
libcurl: Improper Authentication State Management on Cross-Protocol Redirects
hackerone·2026-01-17·CVSS 5.7
CVE-2025-14524 [MEDIUM] libcurl: Improper Authentication State Management on Cross-Protocol Redirects
libcurl: Improper Authentication State Management on Cross-Protocol Redirects
Following the recent advisory for **CVE-2025-14524**, I conducted an investigation into how libcurl manages OAuth2 credentials during complex redirect chains. I have confirmed that while the library successfully protects traditional user credentials, it fails to clear OAuth2 Bearer tokens in the same way during cross-protocol or cross-origin redirects. This report provides a detailed analysis and a working reproduction of how an attacker can leverage this state-management flaw to exfiltrate valid Bearer tokens.
**AI Statement**: This report was researched and generated with the assistance of an AI agent to analyze the libcurl source code and identify inconsistent state management logic. However, the vulnerabili
HackerOne
CVE-2025-14524: bearer token leak on cross-protocol redirect
hackerone·2026-01-07·CVSS 5.7
CVE-2025-14524 [MEDIUM] CVE-2025-14524: bearer token leak on cross-protocol redirect
CVE-2025-14524: bearer token leak on cross-protocol redirect
## Summary:
A vulnerability exists in `libcurl` regarding the handling of OAuth2 Bearer tokens (`CURLOPT_XOAUTH2_BEARER`) during HTTP redirects.
While `libcurl` correctly clears standard authentication credentials (`CURLOPT_USERPWD`) when following a redirect to a different host, port, or protocol (a security hardening introduced to fix CVE-2022-27774), it fails to apply the same logic to the OAuth2 Bearer token.
If an application using `libcurl` connects to a trusted server but is redirected to a malicious server (e.g., via an Open Redirect vulnerability) on a protocol supporting SASL (like IMAP, SMTP, or POP3), the valid Bearer token is automatically sent to the attacker. This happens because the token remains in the handle
Bugzilla
CVE-2025-14524 curl: Information disclosure via cross-protocol redirect with OAuth2 bearer token
bugzilla·2025-12-31·CVSS 5.3
CVE-2025-14524 [MEDIUM] CVE-2025-14524 curl: Information disclosure via cross-protocol redirect with OAuth2 bearer token
CVE-2025-14524 curl: Information disclosure via cross-protocol redirect with OAuth2 bearer token
when an oauth2 bearer token is used for an HTTP(S) transfer, and that transfer
performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP,
POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new
target host.
2026-01-08
Published