curl Cross-Protocol Redirect Vulnerability Allows OAuth2 Bearer Token Leak

A vulnerability in curl's handling of OAuth2 bearer tokens during cross-protocol redirects has been identified. When a bearer token is used in an HTTP(S) transfer that is redirected to a URL using an IMAP, LDAP, POP3, or SMTP scheme, curl may incorrectly forward the token to the new host. This issue affects curl versions 7.33.0 through 8.17.0.

Impact

Exploitation of this vulnerability leads to unauthorized access to services that accept OAuth2 tokens, allowing attackers to impersonate users and access sensitive data or perform actions on their behalf. This vulnerability also bypasses previous security enhancements in curl that protected against credential leaks during redirects.

Reproduction

The vulnerability can be reproduced by sending an HTTP request with an OAuth2 bearer token to a server that redirects to an IMAP server. The redirect must include a username component to trigger the token leak, as curl will then use the bearer token for authentication with the IMAP server, effectively leaking it to the attacker.

Remediation

Users can upgrade to curl version 8.18.0 or later, avoid cross-protocol redirects, and refrain from using OAuth2 bearer tokens.