libcurl .netrc Credential Leak via Reused Proxy Connection

A vulnerability in libcurl allows for the unintentional leakage of passwords from a .netrc file when both HTTP redirects are followed and an HTTP proxy connection is reused. This issue affects libcurl versions 7.14.0 prior to 8.20.0. The vulnerability arises because the same connection can be used to send .netrc-derived credentials to multiple hosts, potentially exposing sensitive information to unauthorized parties.

Impact

Exploitation of this vulnerability can lead to a cross-host credential leak, where .netrc credentials for one host are sent to another host via the Authorization header. This can result in the exposure of Basic authentication credentials to unintended origins.

Reproduction

The vulnerability can be reproduced by configuring a .netrc file with credentials for a specific host, then using libcurl to send requests to that host while following HTTP redirects through an HTTP proxy. The same proxy connection must be reused for the redirect, which can be controlled with libcurl's connection management options.

Remediation

Users can upgrade to libcurl version 8.20.0 or apply the available patch before rebuilding libcurl.