JLSEC-2025-26

See a problem?
Please try reporting it to the source first.
Source
https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2025/JLSEC-2025-26.md
Import Source
https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2025/JLSEC-2025-26.json
JSON Data
https://api.test.osv.dev/v1/vulns/JLSEC-2025-26
Upstream
Published
2025-10-10T15:04:01.319Z
Modified
2025-11-03T00:18:53.538170Z
Summary
curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to ...
Details

curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

Database specific 
{
    "sources": [
        {
            "imported": "2025-10-10T14:33:22.316Z",
            "modified": "2025-06-09T15:15:23.067Z",
            "html_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22876",
            "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2021-22876",
            "published": "2021-04-01T18:15:12.823Z",
            "id": "CVE-2021-22876"
        }
    ],
    "license": "CC-BY-4.0"
}
References

Affected packages

Julia / LibCURL_jll

Package

Name
LibCURL_jll
Purl
pkg:julia/LibCURL_jll?uuid=deac9b47-8bc7-5906-a0fe-35ac56dc84c0

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.81.0+0