Main Vulnerability Database Vulnerabilities #VU121026

#VU121026 Insufficiently protected credentials in cURL - CVE-2025-14524

Published: January 7, 2026

Vulnerability identifier: #VU121026

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-14524

CWE-ID: CWE-522

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
cURL

Software vendor:
curl.haxx.se

Description

The vulnerability allows an attacker to obtain bearer token,

The vulnerability exists due to an error when handling cross-protocol redirects. When an oauth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.

Remediation

Install updates from vendor's website.

External links

https://curl.se/docs/CVE-2025-14524.html

#VU121026 Insufficiently protected credentials in cURL - CVE-2025-14524

Description

Remediation

External links

Please verify you're human