Listen to this Post
When an OAuth2 bearer token is used for an HTTP or HTTPS transfer and curl follows a redirect to a second URL, the token can be leaked to the second host under specific conditions . This occurs if the destination hostname of the redirect has a matching entry in the used .netrc file, specified by either the `machine` or `default` keyword . The vulnerability exists because the internal logic that normally prevents credentials from being sent to a different host is bypassed when a .netrc entry for the new host is present . Instead of being stripped, the bearer token set for the original request is incorrectly passed on to the redirected host . The flaw affects curl versions from 7.33.0 up to and including 8.18.0 and was fixed in version 8.19.0 . The issue is classified as CWE-522, indicating insufficiently protected credentials .
dailycve form:
Platform: cURL
Version: 7.33.0-8.18.0
Vulnerability : OAuth2 Bearer Leak
Severity: Medium
date: 2026-03-11
Prediction: Patched 2026-03-11
What Undercode Say:
Analytics:
The vulnerability resides in the logic handling HTTP redirects when a .netrc file is in use. The following pseudo-code illustrates the flawed mechanism where the bearer token is not properly cleared for cross-origin redirects if a .netrc entry exists for the target.
// Simplified representation of the vulnerable logic
if(redirect_detected && new_host_different) {
// Host-specific .netrc entry exists for new host, so token is not cleared
if (netrc_matches_new_host || netrc_has_default) {
// VULNERABILITY: Bearer token is unintentionally forwarded
// CURLOPT_XOAUTH2_BEARER is not stripped
perform_request_to_new_host_with_token();
} else {
// Safe path: clear credentials
Curl_safefree(data->state.aptr.user);
Curl_safefree(data->state.aptr.passwd);
// Bearer token would ideally be cleared here too, but wasn't
}
}
Bash Commands:
Check your installed curl version to see if it is affected.
curl --version | head -n1
Example of a vulnerable command pattern (do not use against untrusted servers). This command uses a bearer token, follows redirects (-L), and relies on a .netrc file that might have an entry for the redirect target.
curl --oauth2-bearer "s3cr3t-t0k3n" -L --netrc https://trusted-site.com/redirect
To safely test the fix, ensure you are using version 8.19.0 or later.
After upgrading to 8.19.0 or later, the token should not leak curl --oauth2-bearer "s3cr3t-t0k3n" -L --netrc https://patched-instance.com/test
How Exploit:
An attacker can exploit this by controlling a server that the victim’s curl request is redirected to . The victim must be using a vulnerable curl version with a bearer token and have a .netrc file containing either a `machine` entry for the attacker’s hostname or a `default` entry . When the victim’s request to a legitimate site is redirected (e.g., via an open redirect on the initial site) to the attacker’s server, curl will inadvertently send the Authorization: Bearer header to the attacker’s server . The attacker can then capture this token and use it to impersonate the victim .
Protection from this CVE:
The primary protection is to upgrade to curl/libcurl version 8.19.0 or later . If an immediate upgrade is not possible, mitigations include avoiding the combination of bearer tokens and .netrc when following redirects, or disabling redirect-following entirely (-L / --location) for such transfers . Users can also set the `Authorization: Bearer` header explicitly using `-H` instead of --oauth2-bearer, as this code path may have different checks .
Impact:
Successful exploitation leads to the leakage of a valid OAuth2 bearer token to an unintended third-party host . This token can grant an attacker unauthorized access to the APIs and resources that the token is meant to protect, potentially leading to data breaches, account takeover, or further lateral movement within an infrastructure . The severity is considered Medium due to the specific preconditions required for exploitation .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

