CVE-2025-0167
LOWDescription
When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance.
CVSS v3.1 Score
Affected Products
| Vendor | Product |
|---|---|
| haxx | curl |
| netapp | element_software |
| netapp | ontap |
| netapp | ontap_select_deploy_administration_utility |
| netapp | ontap_tools |
| netapp | solidfire_\&_hci_management_node |
| netapp | solidfire_\&_hci_storage_node |
| netapp | bootstrap_os |
| netapp | hci_compute_node |
| netapp | h300s_firmware |
| netapp | h300s |
| netapp | h410c_firmware |
| netapp | h410c |
| netapp | h410s_firmware |
| netapp | h410s |
| netapp | h500s_firmware |
| netapp | h500s |
| netapp | h610c_firmware |
| netapp | h610c |
| netapp | h610s_firmware |
| netapp | h610s |
| netapp | h615c_firmware |
| netapp | h615c |
| netapp | h700s_firmware |
| netapp | h700s |
References
Frequently Asked Questions
What is CVE-2025-0167? +
How severe is CVE-2025-0167? +
What products are affected by CVE-2025-0167? +
How do I check if I'm vulnerable to CVE-2025-0167? +
Related Vulnerabilities
A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes …
The curl logic that works with SASL authentication could end up cleaning up the GSASL context *twice* without clearing the …
Successfully using libcurl to do a transfer to a specific HTTP origin (`hostA`) with **Digest** authentication and then changing the …
libcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the …
When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication …
When asking curl to use a `.netrc` file to find credentials and at the same time specifying a URL with …