A flaw in libcurl allows credentials stored in a .netrc file to be unintentionally sent to a redirected host when both the initial and redirected URLs use clear text HTTP, share the same HTTP proxy, and the connection is reused. The vulnerability, categorized as an Exposure of Sensitive Information to an Unauthorized Actor (CWE-201), results in the accidental transmission of user passwords over the network, exposing sensitive authentication data to an unauthorized actor and enabling credential theft.

The vulnerability affects libcurl and any applications that rely on it (such as the command-line tool) when configured to use .netrc credentials and automatic HTTP redirects. All builds of libcurl that support .netrc file usage and do not enforce isolation between proxy connections before the fix are potentially impacted. Specific version details are not listed, so all pre‑fix releases should be considered vulnerable.

The CVSS score of 6.5 indicates a moderate severity threat. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited. The attack requires an attacker to control or observe a clear text HTTP proxy that the user employs for both the original and the redirected request. In scenarios where an attacker can see the proxy traffic or coerce a user to route traffic through a malicious proxy, credential leakage can occur. Although the conditions for exploitation are relatively specific, the potential impact of credential theft warrants proactive mitigation.