libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. libcurl automatically sets the Referer: HTTP request header field in outgoing HTTP requests if the CURLOPT_AUTOREFERER option is set. With the curl tool, it is enabled with --referer ";auto". The issue has existed in libcurl since version 7.1.1 and is fixed in version 7.76.0.
libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. libcurl automatically sets the Referer: HTTP request header field in outgoing HTTP requests if the CURLOPT_AUTOREFERER option is set. With the curl tool, it is enabled with --referer ";auto". The issue has existed in libcurl since version 7.1.1 and is fixed in version 7.76.0.
https://curl.se/docs/CVE-2021-22876.html https://github.com/curl/curl/commit/7214288898f5625a6cc196e22a74232eada7861c
Workaround ========== The issue can be mitigated by providing the credentials with -u or CURLOPT_USERPWD, or by avoiding ACURLOPT_AUTOREFERER and --referer ";auto".
Vulmon