curl and libcurl Proxy Credentials Leak Over Redirect-to-Proxy

A vulnerability exists in curl and libcurl versions 7.14.1 through 8.19.0, where credentials for one proxy can be incorrectly forwarded to another proxy during a redirect. This issue arises when different proxies are used for different URL schemes, and the first proxy requires authentication while the second does not. When a redirect occurs from a URL using the first proxy to one using the second, the credentials for the first proxy can be sent to the second without any indication of their origin or validity.

Impact

Exploitation of this vulnerability causes a leak of proxy authentication credentials to a different proxy, potentially crossing a trust boundary and exposing sensitive information.

Reproduction

The vulnerability can be reproduced by setting up an HTTP server that returns a redirect to an HTTPS URL. Two HTTP proxies should be started, with one requiring credentials and the other not. After configuring curl to use the first proxy with credentials for an HTTP request that follows a redirect to the second proxy, the first request will include the correct credentials. However, the initial request to the second proxy will mistakenly include the credentials from the first proxy, demonstrating the leak.

Remediation

Users are advised to upgrade to curl and libcurl version 8.20.0, or to apply the patch available in the curl GitHub repository.