curl and libcurl OAuth2 Bearer Token Leak Vulnerability During Redirects

A vulnerability exists in curl and libcurl versions 7.33.0 through 8.18.0, where an OAuth2 bearer token can be inadvertently leaked to a second URL during an HTTP(S) redirect. This occurs if the first request's redirect target has an entry in the user's .netrc file, specifically under the 'machine' or 'default' keywords. In such cases, curl transmits the bearer token from the initial host to the redirected one. This issue also affects the curl command line tool.

Impact

The vulnerability allows for unauthorized leakage of OAuth2 bearer tokens to redirect targets, potentially compromising authentication by exposing tokens to unintended recipients.

Reproduction

The vulnerability can be reproduced by creating a .netrc file with a default entry, then using curl with the --oauth2-bearer option, the --netrc-file option pointing to the .netrc file, and the -L option to follow redirects. The first server (Server A) should be set up to redirect to a second server (Server B) that will check for the presence of the Authorization header. When the redirect is followed, Server B will receive the leaked bearer token, demonstrating the vulnerability.

Remediation

Users are advised to upgrade to curl and libcurl version 8.19.0, apply the patch and rebuild libcurl, or avoid using bearer tokens with redirects.