Using libcurl to send a request through an HTTP proxy that requires Digest authentication, an attacker can cause the library to incorrectly carry the Proxy-Authorization header from the first proxy to a second proxy when the proxy host is changed while reusing the same handle. This flaw results in the credentials intended for the first proxy being exposed to the second proxy, thereby compromising the confidentiality of authentication tokens. The weakness is a classic example of Information Disclosure and is identified as CWE‑294 and CWE‑201.

The affected product is the libcurl library commonly known as CURL. The advisory does not specify vulnerable versions, so any libcurl release that exhibits this behavior should be considered at risk. The problem lies in the library’s internal state management when a handle’s proxy configuration changes.

The EPSS score is <1% and the CVSS score of 5.3 indicates a moderate severity. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that exploitation requires an attacker to influence the application’s use of multiple proxies or to operate a malicious second proxy (proxyB) capable of capturing the leaked header. The impact scales with the sensitivity of the compromised credentials and with how widely the vulnerable code path is used; an attacker capturing the header can authenticate to the first proxy and potentially access resources beyond the second proxy’s domain.