cURL prior to 7.47.0 on Windows allows malicious users to write to arbitrary files in the current working directory on a different drive via a colon in a remote file name.
haxx curl