Vulnerability CVE-2025-14524: Information

Description

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.

Severity: MEDIUM (5.3)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
URL: https://nvd.nist.gov/vuln/detail/CVE-2025-14524
Published: Jan. 8, 2026
Modified: Jan. 20, 2026
Error type identifier: CWE-601

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
curlsisyphus8.18.0-alt18.18.0-alt1ALT-PU-2026-1133-1404633Fixed
curlsisyphus_riscv648.18.0-alt18.18.0-alt1ALT-PU-2026-1147-1-Fixed
curlsisyphus_loongarch648.18.0-alt18.18.0-alt1ALT-PU-2026-1153-1-Fixed
curlp118.18.0-alt18.18.0-alt1ALT-PU-2026-1135-2404638Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://curl.se/docs/CVE-2025-14524.html
  • Vendor Advisory
  • Patch
https://curl.se/docs/CVE-2025-14524.json
  • Vendor Advisory
https://hackerone.com/reports/3459417
  • Exploit
  • Issue Tracking
  • Third Party Advisory
http://www.openwall.com/lists/oss-security/2026/01/07/4
  • Mailing List
  • Third Party Advisory
  • Patch
    1. cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
      Start including
      7.33.0
      End excluding
      8.18.0
VKontakte|Telegram|YouTube|Forum|ALT Linux Space|Bugzilla
Version: v25.10.0
Back to top