{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-0167", "assignerOrgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "state": "PUBLISHED", "assignerShortName": "curl", "dateReserved": "2024-12-31T23:07:29.650Z", "datePublished": "2025-02-05T09:15:06.891Z", "dateUpdated": "2025-03-07T00:10:48.290Z"}, "containers": {"cna": {"title": "netrc and default credential leak", "descriptions": [{"lang": "en", "value": "When asked to use a `.netrc` file for credentials **and** to follow HTTP\nredirects, curl could leak the password used for the first host to the\nfollowed-to host under certain circumstances.\n\nThis flaw only manifests itself if the netrc file has a `default` entry that\nomits both login and password. A rare circumstance."}], "providerMetadata": {"orgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "shortName": "curl", "dateUpdated": "2025-02-05T09:15:06.891Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "affected": [{"vendor": "curl", "product": "curl", "versions": [{"version": "8.11.1", "status": "affected", "lessThanOrEqual": "8.11.1", "versionType": "semver"}, {"version": "8.11.0", "status": "affected", "lessThanOrEqual": "8.11.0", "versionType": "semver"}, {"version": "8.10.1", "status": "affected", "lessThanOrEqual": "8.10.1", "versionType": "semver"}, {"version": "8.10.0", "status": "affected", "lessThanOrEqual": "8.10.0", "versionType": "semver"}, {"version": "8.9.1", "status": "affected", "lessThanOrEqual": "8.9.1", "versionType": "semver"}, {"version": "8.9.0", "status": "affected", "lessThanOrEqual": "8.9.0", "versionType": "semver"}, {"version": "8.8.0", "status": "affected", "lessThanOrEqual": "8.8.0", "versionType": "semver"}, {"version": "8.7.1", "status": "affected", "lessThanOrEqual": "8.7.1", "versionType": "semver"}, {"version": "8.7.0", "status": "affected", "lessThanOrEqual": "8.7.0", "versionType": "semver"}, {"version": "8.6.0", "status": "affected", "lessThanOrEqual": "8.6.0", "versionType": "semver"}, {"version": "8.5.0", "status": "affected", "lessThanOrEqual": "8.5.0", "versionType": "semver"}, {"version": "8.4.0", "status": "affected", "lessThanOrEqual": "8.4.0", "versionType": "semver"}, {"version": "8.3.0", "status": "affected", "lessThanOrEqual": "8.3.0", "versionType": "semver"}, {"version": "8.2.1", "status": "affected", "lessThanOrEqual": "8.2.1", "versionType": "semver"}, {"version": "8.2.0", "status": "affected", "lessThanOrEqual": "8.2.0", "versionType": "semver"}, {"version": "8.1.2", "status": "affected", "lessThanOrEqual": "8.1.2", "versionType": "semver"}, {"version": "8.1.1", "status": "affected", "lessThanOrEqual": "8.1.1", "versionType": "semver"}, {"version": "8.1.0", "status": "affected", "lessThanOrEqual": "8.1.0", "versionType": "semver"}, {"version": "8.0.1", "status": "affected", "lessThanOrEqual": "8.0.1", "versionType": "semver"}, {"version": "8.0.0", "status": "affected", "lessThanOrEqual": "8.0.0", "versionType": "semver"}, {"version": "7.88.1", "status": "affected", "lessThanOrEqual": "7.88.1", "versionType": "semver"}, {"version": "7.88.0", "status": "affected", "lessThanOrEqual": "7.88.0", "versionType": "semver"}, {"version": "7.87.0", "status": "affected", "lessThanOrEqual": "7.87.0", "versionType": "semver"}, {"version": "7.86.0", "status": "affected", "lessThanOrEqual": "7.86.0", "versionType": "semver"}, {"version": "7.85.0", "status": "affected", "lessThanOrEqual": "7.85.0", "versionType": "semver"}, {"version": "7.84.0", "status": "affected", "lessThanOrEqual": "7.84.0", "versionType": "semver"}, {"version": "7.83.1", "status": "affected", "lessThanOrEqual": "7.83.1", "versionType": "semver"}, {"version": "7.83.0", "status": "affected", "lessThanOrEqual": "7.83.0", "versionType": "semver"}, {"version": "7.82.0", "status": "affected", "lessThanOrEqual": "7.82.0", "versionType": "semver"}, {"version": "7.81.0", "status": "affected", "lessThanOrEqual": "7.81.0", "versionType": "semver"}, {"version": "7.80.0", "status": "affected", "lessThanOrEqual": "7.80.0", "versionType": "semver"}, {"version": "7.79.1", "status": "affected", "lessThanOrEqual": "7.79.1", "versionType": "semver"}, {"version": "7.79.0", "status": "affected", "lessThanOrEqual": "7.79.0", "versionType": "semver"}, {"version": "7.78.0", "status": "affected", "lessThanOrEqual": "7.78.0", "versionType": "semver"}, {"version": "7.77.0", "status": "affected", "lessThanOrEqual": "7.77.0", "versionType": "semver"}, {"version": "7.76.1", "status": "affected", "lessThanOrEqual": "7.76.1", "versionType": "semver"}, {"version": "7.76.0", "status": "affected", "lessThanOrEqual": "7.76.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://curl.se/docs/CVE-2025-0167.json", "name": "json"}, {"url": "https://curl.se/docs/CVE-2025-0167.html", "name": "www"}, {"url": "https://hackerone.com/reports/2917232", "name": "issue"}], "credits": [{"lang": "en", "value": "Yihang Zhou", "type": "finder"}, {"lang": "en", "value": "Daniel Stenberg", "type": "remediation developer"}]}, "adp": [{"references": [{"url": "https://curl.se/docs/CVE-2025-0167.html", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 3.4, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-02-05T15:52:41.551530Z", "id": "CVE-2025-0167", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-06T14:48:00.488Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20250306-0008/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-03-07T00:10:48.290Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20250306-0008/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-03-07T00:10:48.290Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 3.4, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-0167", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-05T15:52:41.551530Z"}}}], "references": [{"url": "https://curl.se/docs/CVE-2025-0167.html", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-05T15:54:29.481Z"}}], "cna": {"title": "netrc and default credential leak", "credits": [{"lang": "en", "type": "finder", "value": "Yihang Zhou"}, {"lang": "en", "type": "remediation developer", "value": "Daniel Stenberg"}], "affected": [{"vendor": "curl", "product": "curl", "versions": [{"status": "affected", "version": "8.11.1", "versionType": "semver", "lessThanOrEqual": "8.11.1"}, {"status": "affected", "version": "8.11.0", "versionType": "semver", "lessThanOrEqual": "8.11.0"}, {"status": "affected", "version": "8.10.1", "versionType": "semver", "lessThanOrEqual": "8.10.1"}, {"status": "affected", "version": "8.10.0", "versionType": "semver", "lessThanOrEqual": "8.10.0"}, {"status": "affected", "version": "8.9.1", "versionType": "semver", "lessThanOrEqual": "8.9.1"}, {"status": "affected", "version": "8.9.0", "versionType": "semver", "lessThanOrEqual": "8.9.0"}, {"status": "affected", "version": "8.8.0", "versionType": "semver", "lessThanOrEqual": "8.8.0"}, {"status": "affected", "version": "8.7.1", "versionType": "semver", "lessThanOrEqual": "8.7.1"}, {"status": "affected", "version": "8.7.0", "versionType": "semver", "lessThanOrEqual": "8.7.0"}, {"status": "affected", "version": "8.6.0", "versionType": "semver", "lessThanOrEqual": "8.6.0"}, {"status": "affected", "version": "8.5.0", "versionType": "semver", "lessThanOrEqual": "8.5.0"}, {"status": "affected", "version": "8.4.0", "versionType": "semver", "lessThanOrEqual": "8.4.0"}, {"status": "affected", "version": "8.3.0", "versionType": "semver", "lessThanOrEqual": "8.3.0"}, {"status": "affected", "version": "8.2.1", "versionType": "semver", "lessThanOrEqual": "8.2.1"}, {"status": "affected", "version": "8.2.0", "versionType": "semver", "lessThanOrEqual": "8.2.0"}, {"status": "affected", "version": "8.1.2", "versionType": "semver", "lessThanOrEqual": "8.1.2"}, {"status": "affected", "version": "8.1.1", "versionType": "semver", "lessThanOrEqual": "8.1.1"}, {"status": "affected", "version": "8.1.0", "versionType": "semver", "lessThanOrEqual": "8.1.0"}, {"status": "affected", "version": "8.0.1", "versionType": "semver", "lessThanOrEqual": "8.0.1"}, {"status": "affected", "version": "8.0.0", "versionType": "semver", "lessThanOrEqual": "8.0.0"}, {"status": "affected", "version": "7.88.1", "versionType": "semver", "lessThanOrEqual": "7.88.1"}, {"status": "affected", "version": "7.88.0", "versionType": "semver", "lessThanOrEqual": "7.88.0"}, {"status": "affected", "version": "7.87.0", "versionType": "semver", "lessThanOrEqual": "7.87.0"}, {"status": "affected", "version": "7.86.0", "versionType": "semver", "lessThanOrEqual": "7.86.0"}, {"status": "affected", "version": "7.85.0", "versionType": "semver", "lessThanOrEqual": "7.85.0"}, {"status": "affected", "version": "7.84.0", "versionType": "semver", "lessThanOrEqual": "7.84.0"}, {"status": "affected", "version": "7.83.1", "versionType": "semver", "lessThanOrEqual": "7.83.1"}, {"status": "affected", "version": "7.83.0", "versionType": "semver", "lessThanOrEqual": "7.83.0"}, {"status": "affected", "version": "7.82.0", "versionType": "semver", "lessThanOrEqual": "7.82.0"}, {"status": "affected", "version": "7.81.0", "versionType": "semver", "lessThanOrEqual": "7.81.0"}, {"status": "affected", "version": "7.80.0", "versionType": "semver", "lessThanOrEqual": "7.80.0"}, {"status": "affected", "version": "7.79.1", "versionType": "semver", "lessThanOrEqual": "7.79.1"}, {"status": "affected", "version": "7.79.0", "versionType": "semver", "lessThanOrEqual": "7.79.0"}, {"status": "affected", "version": "7.78.0", "versionType": "semver", "lessThanOrEqual": "7.78.0"}, {"status": "affected", "version": "7.77.0", "versionType": "semver", "lessThanOrEqual": "7.77.0"}, {"status": "affected", "version": "7.76.1", "versionType": "semver", "lessThanOrEqual": "7.76.1"}, {"status": "affected", "version": "7.76.0", "versionType": "semver", "lessThanOrEqual": "7.76.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://curl.se/docs/CVE-2025-0167.json", "name": "json"}, {"url": "https://curl.se/docs/CVE-2025-0167.html", "name": "www"}, {"url": "https://hackerone.com/reports/2917232", "name": "issue"}], "descriptions": [{"lang": "en", "value": "When asked to use a `.netrc` file for credentials **and** to follow HTTP\nredirects, curl could leak the password used for the first host to the\nfollowed-to host under certain circumstances.\n\nThis flaw only manifests itself if the netrc file has a `default` entry that\nomits both login and password. A rare circumstance."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "shortName": "curl", "dateUpdated": "2025-02-05T09:15:06.891Z"}}}, "cveMetadata": {"cveId": "CVE-2025-0167", "state": "PUBLISHED", "dateUpdated": "2025-03-07T00:10:48.290Z", "dateReserved": "2024-12-31T23:07:29.650Z", "assignerOrgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "datePublished": "2025-02-05T09:15:06.891Z", "assignerShortName": "curl"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "When asked to use a `.netrc` file for credentials **and** to follow HTTP\nredirects, curl could leak the password used for the first host to the\nfollowed-to host under certain circumstances.\n\nThis flaw only manifests itself if the netrc file has a `default` entry that\nomits both login and password. A rare circumstance."}, {"lang": "es", "value": "Cuando se le pide que use un archivo `.netrc` para las credenciales **y** para seguir redirecciones HTTP, curl podr\u00eda filtrar la contrase\u00f1a utilizada para el primer host al host siguiente en determinadas circunstancias. Esta falla solo se manifiesta si el archivo netrc tiene una entrada `default` que omite tanto el nombre de usuario como la contrase\u00f1a. Una circunstancia poco com\u00fan."}], "id": "CVE-2025-0167", "lastModified": "2025-03-07T01:15:12.110", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.4, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-02-05T10:15:22.710", "references": [{"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "url": "https://curl.se/docs/CVE-2025-0167.html"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "url": "https://curl.se/docs/CVE-2025-0167.json"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "url": "https://hackerone.com/reports/2917232"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20250306-0008/"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://curl.se/docs/CVE-2025-0167.html"}], "sourceIdentifier": "2499f714-1537-4658-8207-48ae4bb9eae9", "vulnStatus": "Awaiting Analysis"}

{}