CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-11053: netrc and redirect credential leak

Description

When asked to both use a `.netrc` file for credentials and to follow HTTP
redirects, curl could leak the password used for the first host to the
followed-to host under certain circumstances.

This flaw only manifests itself if the netrc file has an entry that matches
the redirect target hostname but the entry either omits just the password or
omits both login and password.

Classification

CVE ID: CVE-2024-11053

Affected Products

Vendor: curl

Product: curl

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 17.97% (scored less or equal to compared to others)

EPSS Date: 2025-02-21 (when was this score calculated)

References

https://curl.se/docs/CVE-2024-11053.json
https://curl.se/docs/CVE-2024-11053.html
https://hackerone.com/reports/2829063

Timeline

2025-01-25 00:30:13 UTC
CVE

netrc and redirect credential leak
2025-03-20 09:15:33 UTC
Tenable Plugins

EulerOS 2.0 SP12 : curl (EulerOS-SA-2025-1290)