{"id":"CURL-CVE-2009-0037","summary":"Arbitrary File Access","details":"When told to follow a \"redirect\" automatically, libcurl does not question the\nnew target URL but follows it to any new URL that it understands. As libcurl\nsupports FILE:// URLs, a rogue server can thus \"trick\" a libcurl-using\napplication to read a local file instead of the remote one.\n\nThis is a problem, for example, when the application is running on a server\nand is written to upload or to otherwise provide the transferred data to a\nuser, to another server or to another application etc, as it can be used to\nexpose local files it was not meant to.\n\nThe problem can also be exploited for uploading, if the rogue server\nredirects the client to a local file and thus it would (over)write a local\nfile instead of sending it to the server.\n\nlibcurl compiled to support SCP can get tricked to get a file using embedded\nsemicolons, which can lead to execution of commands on the given\nserver. `Location: scp://name:passwd@host/a;date \u003e/tmp/test;`.\n\nFiles on servers other than the one running libcurl are also accessible when\ncredentials for those servers are stored in the .netrc file of the user\nrunning libcurl. This is most common for FTP servers, but can occur with\nany protocol supported by libcurl. Files on remote SSH servers are also\naccessible when the user has an unencrypted SSH key.","aliases":["CVE-2009-0037"],"modified":"2026-04-25T20:30:42.556701Z","published":"2009-03-03T08:00:00Z","database_specific":{"URL":"https://curl.se/docs/CVE-2009-0037.json","severity":"Medium","CWE":{"id":"CWE-142","desc":"Improper Neutralization of Value Delimiters"},"package":"curl","last_affected":"7.19.3","affects":"both","www":"https://curl.se/docs/CVE-2009-0037.html"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"5.11"},{"fixed":"7.19.4"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"ae1912cb0d494b48d514d937826c9fe83ec96c4d"},{"fixed":"042cc1f69ec0878f542667cb684378869f859911"}]}],"versions":["7.19.3","7.19.2","7.19.1","7.19.0","7.18.2","7.18.1","7.18.0","7.17.1","7.17.0","7.16.4","7.16.3","7.16.2","7.16.1","7.16.0","7.15.5","7.15.4","7.15.3","7.15.2","7.15.1","7.15.0","7.14.1","7.14.0","7.13.2","7.13.1","7.13.0","7.12.3","7.12.2","7.12.1","7.12.0","7.11.2","7.11.1","7.11.0","7.10.8","7.10.7","7.10.6","7.10.5","7.10.4","7.10.3","7.10.2","7.10.1","7.10","7.9.8","7.9.7","7.9.6","7.9.5","7.9.4","7.9.3","7.9.2","7.9.1","7.9","7.8.1","7.8","7.7.3","7.7.2","7.7.1","7.7","7.6.1","7.6","7.5.2","7.5.1","7.5","7.4.2","7.4.1","7.4","7.3","7.2.1","7.2","7.1.1","7.1","6.5.2","6.5.1","6.5","6.4","6.3.1","6.3","6.2","6.1","6.0","5.11"],"database_specific":{"vanir_signatures_modified":"2026-04-25T20:30:42Z","vanir_signatures":[{"id":"CURL-CVE-2009-0037-159f29bc","digest":{"line_hashes":["310830666648635066956287083945093218137","14460778665075801970030897651985159821","67289876690961980609857547235819304273","108253723266719992308559813373159066391","114157038688027889160455695506276308083","3680853883501677942441893072465002665","268184971089781477791360401908957570476","23357178132640841728405853861983698094","93569203271119595950142741331671454889"],"threshold":0.9},"target":{"file":"lib/url.c"},"deprecated":false,"signature_type":"Line","signature_version":"v1","source":"https://github.com/curl/curl.git/commit/042cc1f69ec0878f542667cb684378869f859911"},{"id":"CURL-CVE-2009-0037-23a2d981","digest":{"line_hashes":["155117434170459043260086414455916434921","119244673102177051827712747562267400801","126521293628496759759657566623628090089","36273232399208601908612346185396834973","83872637572426875013819294839968609431","120117297025705112923098309012718761973","173863287716765609326775489092599630781"],"threshold":0.9},"target":{"file":"lib/urldata.h"},"deprecated":false,"signature_type":"Line","signature_version":"v1","source":"https://github.com/curl/curl.git/commit/042cc1f69ec0878f542667cb684378869f859911"},{"id":"CURL-CVE-2009-0037-31cdbc79","digest":{"line_hashes":["296330161650831415412564280083640208008","314128023345881561720719054747711707106","216323952747770605609050728020542276615","333079962586958784331342967425326871910","234338421012705842572420254088074172447","87228205603607148876597539119266995952"],"threshold":0.9},"target":{"file":"include/curl/curl.h"},"deprecated":false,"signature_type":"Line","signature_version":"v1","source":"https://github.com/curl/curl.git/commit/042cc1f69ec0878f542667cb684378869f859911"},{"id":"CURL-CVE-2009-0037-a3c5625f","digest":{"length":24266,"function_hash":"257905614394854800781978839845878404615"},"target":{"file":"lib/url.c","function":"Curl_setopt"},"deprecated":false,"signature_type":"Function","signature_version":"v1","source":"https://github.com/curl/curl.git/commit/042cc1f69ec0878f542667cb684378869f859911"},{"id":"CURL-CVE-2009-0037-e60f848b","digest":{"length":1602,"function_hash":"301075944759968825652771901389386298700"},"target":{"file":"lib/url.c","function":"Curl_init_userdefined"},"deprecated":false,"signature_type":"Function","signature_version":"v1","source":"https://github.com/curl/curl.git/commit/042cc1f69ec0878f542667cb684378869f859911"},{"id":"CURL-CVE-2009-0037-ff978ce6","digest":{"length":721,"function_hash":"118857053075254119951035780996427473957"},"target":{"file":"lib/url.c","function":"setup_connection_internals"},"deprecated":false,"signature_type":"Function","signature_version":"v1","source":"https://github.com/curl/curl.git/commit/042cc1f69ec0878f542667cb684378869f859911"}],"source":"https://curl.se/docs/CURL-CVE-2009-0037.json"}}],"schema_version":"1.7.5","credits":[{"name":"David Kierznowski","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}