{"id":"CURL-CVE-2024-11053","summary":"netrc and redirect credential leak","details":"When asked to both use a `.netrc` file for credentials and to follow HTTP\nredirects, curl could leak the password used for the first host to the\nfollowed-to host under certain circumstances.\n\nThis flaw only manifests itself if the netrc file has an entry that matches\nthe redirect target hostname but the entry either omits only the password or\nomits both login and password.","aliases":["CVE-2024-11053"],"modified":"2026-05-21T06:00:14.741981763Z","published":"2024-12-11T08:00:00Z","database_specific":{"package":"curl","last_affected":"8.11.0","award":{"currency":"USD","amount":"505"},"URL":"https://curl.se/docs/CVE-2024-11053.json","www":"https://curl.se/docs/CVE-2024-11053.html","affects":"both","severity":"Low","CWE":{"id":"CWE-200","desc":"Exposure of Sensitive Information to an Unauthorized Actor"},"issue":"https://hackerone.com/reports/2829063"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.76.0"},{"fixed":"8.11.1"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"46620b97431e19c53ce82e55055c85830f088cf4"},{"fixed":"e9b9bbac22c26cf67316fa8e6c6b9e831af31949"}]}],"versions":["8.11.0","8.10.1","8.10.0","8.9.1","8.9.0","8.8.0","8.7.1","8.7.0","8.6.0","8.5.0","8.4.0","8.3.0","8.2.1","8.2.0","8.1.2","8.1.1","8.1.0","8.0.1","8.0.0","7.88.1","7.88.0","7.87.0","7.86.0","7.85.0","7.84.0","7.83.1","7.83.0","7.82.0","7.81.0","7.80.0","7.79.1","7.79.0","7.78.0","7.77.0","7.76.1","7.76.0","curl-8_11_0","curl-8_10_1","curl-8_10_0","curl-8_9_1","curl-8_9_0","curl-8_8_0","curl-8_7_1","curl-8_7_0","curl-8_6_0","curl-8_5_0","tiny-curl-8_4_0","curl-8_4_0","curl-8_3_0","curl-8_2_1","curl-8_2_0","curl-8_1_2","curl-8_1_1","curl-8_1_0","curl-8_0_1","curl-8_0_0","curl-7_88_1","curl-7_88_0","curl-7_87_0","curl-7_86_0","curl-7_85_0","curl-7_84_0","curl-7_83_1","curl-7_83_0","curl-7_82_0","curl-7_81_0","curl-7_80_0","curl-7_79_1","curl-7_79_0","curl-7_78_0","curl-7_77_0","curl-7_76_1","curl-7_76_0"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2024-11053.json"}}],"schema_version":"1.7.5","credits":[{"name":"Harry Sintonen","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}