Name CVE-2025-0167 Description When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance. Source CVE (at NVD ; CERT , ENISA , LWN , oss-sec , fulldisc , Debian ELTS , Red Hat , Ubuntu , Gentoo , SUSE bugzilla /CVE , GitHub advisories /code /issues , web search , more )
Vulnerable and fixed packages The table below lists information on source packages.
Source Package Release Version Status curl (PTS )bullseye 7.74.0-1.3+deb11u13 fixed bullseye (security) 7.74.0-1.3+deb11u16 fixed bookworm 7.88.1-10+deb12u14 fixed bookworm (security) 7.88.1-10+deb12u5 vulnerable trixie 8.14.1-2+deb13u3 fixed forky, sid 8.20.0-2 fixed
The information below is based on the following data on fixed versions.
Package Type Release Fixed Version Urgency Origin Debian Bugs curl source bullseye (not affected) curl source bookworm 7.88.1-10+deb12u11 curl source (unstable) 8.12.0+git20250209.89ed161+ds-1
Notes [bullseye] - curl <not-affected> (Vulnerable code introduced later) https://curl.se/docs/CVE-2025-0167.html https://github.com/curl/curl/commit/46620b97431e19c53ce82e55055c85830f088cf4 (curl-7_76_0)https://github.com/curl/curl/commit/0e120c5b925e8ca75d5319e319e5ce4b8080d8eb (curl-8_12_0)
