CURL-CVE-2025-14524

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2025-14524.html

Import Source

https://curl.se/docs/CURL-CVE-2025-14524.json

JSON Data

https://api.test.osv.dev/v1/vulns/CURL-CVE-2025-14524

Aliases

CVE-2025-14524

Published

2026-01-07T08:00:00Z

Modified

2026-05-29T05:40:12.269965Z

Summary

bearer token leak on cross-protocol redirect

Details

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.

Database specific

{
    "last_affected": "8.17.0",
    "package": "curl",
    "CWE": {
        "desc": "Insufficiently Protected Credentials",
        "id": "CWE-522"
    },
    "URL": "https://curl.se/docs/CVE-2025-14524.json",
    "severity": "Low",
    "www": "https://curl.se/docs/CVE-2025-14524.html",
    "issue": "https://hackerone.com/reports/3459417",
    "affects": "both",
    "award": {
        "currency": "USD",
        "amount": "505"
    }
}

References

Credits

- anonymous237 on hackerone - FINDER
- Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

7.33.0

Fixed

8.18.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

06c1bea72faabb6fad4b7ef818aafaa336c9a7aa

Fixed

1a822275d333dc6da6043497160fd04c8fa48640

Affected versions

7.*

7.33.0

7.34.0

7.35.0

7.36.0

7.37.0

7.37.1

7.38.0

7.39.0

7.40.0

7.41.0

7.42.0

7.42.1

7.43.0

7.44.0

7.45.0

7.46.0

7.47.0

7.47.1

7.48.0

7.49.0

7.49.1

7.50.0

7.50.1

7.50.2

7.50.3

7.51.0

7.52.0

7.52.1

7.53.0

7.53.1

7.54.0

7.54.1

7.55.0

7.55.1

7.56.0

7.56.1

7.57.0

7.58.0

7.59.0

7.60.0

7.61.0

7.61.1

7.62.0

7.63.0

7.64.0

7.64.1

7.65.0

7.65.1

7.65.2

7.65.3

7.66.0

7.67.0

7.68.0

7.69.0

7.69.1

7.70.0

7.71.0

7.71.1

7.72.0

7.73.0

7.74.0

7.75.0

7.76.0

7.76.1

7.77.0

7.78.0

7.79.0

7.79.1

7.80.0

7.81.0

7.82.0

7.83.0

7.83.1

7.84.0

7.85.0

7.86.0

7.87.0

7.88.0

7.88.1

8.*

8.0.0

8.0.1

8.1.0

8.1.1

8.1.2

8.10.0

8.10.1

8.11.0

8.11.1

8.12.0

8.12.1

8.13.0

8.14.0

8.14.1

8.15.0

8.16.0

8.17.0

8.2.0

8.2.1

8.3.0

8.4.0

8.5.0

8.6.0

8.7.0

8.7.1

8.8.0

8.9.0

8.9.1

Other

curl-7_33_0

curl-7_34_0

curl-7_35_0

curl-7_36_0

curl-7_37_0

curl-7_37_1

curl-7_38_0

curl-7_39_0

curl-7_40_0

curl-7_41_0

curl-7_42_0

curl-7_42_1

curl-7_43_0

curl-7_44_0

curl-7_45_0

curl-7_46_0

curl-7_47_0

curl-7_47_1

curl-7_48_0

curl-7_49_0

curl-7_49_1

curl-7_50_0

curl-7_50_1

curl-7_50_2

curl-7_50_3

curl-7_51_0

curl-7_52_0

curl-7_52_1

curl-7_53_0

curl-7_53_1

curl-7_54_0

curl-7_54_1

curl-7_55_0

curl-7_55_1

curl-7_56_0

curl-7_56_1

curl-7_57_0

curl-7_58_0

curl-7_59_0

curl-7_60_0

curl-7_61_0

curl-7_61_1

curl-7_62_0

curl-7_63_0

curl-7_64_0

curl-7_64_1

curl-7_65_0

curl-7_65_1

curl-7_65_2

curl-7_65_3

curl-7_66_0

curl-7_67_0

curl-7_68_0

curl-7_69_0

curl-7_69_1

curl-7_70_0

curl-7_71_0

curl-7_71_1

curl-7_72_0

curl-7_73_0

curl-7_74_0

curl-7_75_0

curl-7_76_0

curl-7_76_1

curl-7_77_0

curl-7_78_0

curl-7_79_0

curl-7_79_1

curl-7_80_0

curl-7_81_0

curl-7_82_0

curl-7_83_0

curl-7_83_1

curl-7_84_0

curl-7_85_0

curl-7_86_0

curl-7_87_0

curl-7_88_0

curl-7_88_1

curl-8_0_0

curl-8_0_1

curl-8_10_0

curl-8_10_1

curl-8_11_0

curl-8_11_1

curl-8_12_0

curl-8_12_1

curl-8_13_0

curl-8_14_0

curl-8_14_1

curl-8_15_0

curl-8_16_0

curl-8_17_0

curl-8_1_0

curl-8_1_1

curl-8_1_2

curl-8_2_0

curl-8_2_1

curl-8_3_0

curl-8_4_0

curl-8_5_0

curl-8_6_0

curl-8_7_0

curl-8_7_1

curl-8_8_0

curl-8_9_0

curl-8_9_1

rc-8_18_0-1

tiny-curl-7_72_0

tiny-curl-8_4_0

Database specific

vanir_signatures

[
    {
        "deprecated": false,
        "target": {
            "file": "lib/curl_sasl.c"
        },
        "digest": {
            "line_hashes": [
                "206227627013705818388421116095464280275",
                "146445018200798695659894282886989332010",
                "73137026632638984080970357216391271479",
                "20180869616707082726044560042120516718",
                "297804764287478899455851841748028963067",
                "75500228844593104379061953534717048700",
                "310934647514053912658054552670061024950",
                "120650008394980476833413788340692501428"
            ],
            "threshold": 0.9
        },
        "id": "CURL-CVE-2025-14524-1419737b",
        "source": "https://github.com/curl/curl.git/commit/1a822275d333dc6da6043497160fd04c8fa48640",
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "target": {
            "function": "sasl_choose_oauth2",
            "file": "lib/curl_sasl.c"
        },
        "digest": {
            "length": 489.0,
            "function_hash": "208767605308290121900945290777100662394"
        },
        "id": "CURL-CVE-2025-14524-22368e97",
        "source": "https://github.com/curl/curl.git/commit/1a822275d333dc6da6043497160fd04c8fa48640",
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "target": {
            "function": "sasl_choose_oauth",
            "file": "lib/curl_sasl.c"
        },
        "digest": {
            "length": 633.0,
            "function_hash": "191750539846852921826204324538456858850"
        },
        "id": "CURL-CVE-2025-14524-77b7df11",
        "source": "https://github.com/curl/curl.git/commit/1a822275d333dc6da6043497160fd04c8fa48640",
        "signature_type": "Function",
        "signature_version": "v1"
    }
]

source

"https://curl.se/docs/CURL-CVE-2025-14524.json"

vanir_signatures_modified

"2026-05-29T05:40:12Z"