curl doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use a URL parser that follows the RFC to check for allowed domains before using curl to request them. Passing in http://example.com#@evil.com/x.txt would wrongly make curl send a request to evil.com while your browser would connect to example.com given the same URL. The problem exists for most protocol schemes.
curl doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use a URL parser that follows the RFC to check for allowed domains before using curl to request them. Passing in http://example.com#@evil.com/x.txt would wrongly make curl send a request to evil.com while your browser would connect to example.com given the same URL. The problem exists for most protocol schemes.
https://curl.haxx.se/docs/adv_20161102J.html
Vulmon