CVE-2025-14524
Medium
Low
Medium
High
Critical
5.3
CVSS Score
Vulnerability Description
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer
performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP,
POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new
target host.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
N
Attack Complexity
H
Privileges Required
N
User Interaction
R
Scope
U
Confidentiality
H
Integrity
N
Availability
N
Known Affected Software
103 configuration(s) from 1 vendor(s)
curl
Version:
7.80.0
CPE:
cpe:2.3:a:haxx:curl:7.80.0:*:*:*:*:*:*:*
curl
Version:
8.2.0
CPE:
cpe:2.3:a:haxx:curl:8.2.0:*:*:*:*:*:*:*
curl
Version:
7.53.0
CPE:
cpe:2.3:a:haxx:curl:7.53.0:*:*:*:*:*:*:*
curl
Version:
7.51.0
CPE:
cpe:2.3:a:haxx:curl:7.51.0:*:*:*:*:*:*:*
curl
Version:
8.7.0
CPE:
cpe:2.3:a:haxx:curl:8.7.0:*:*:*:*:*:*:*
curl
Version:
7.48.0
CPE:
cpe:2.3:a:haxx:curl:7.48.0:*:*:*:*:*:*:*
curl
Version:
7.52.1
CPE:
cpe:2.3:a:haxx:curl:7.52.1:*:*:*:*:*:*:*
curl
Version:
8.2.1
CPE:
cpe:2.3:a:haxx:curl:8.2.1:*:*:*:*:*:*:*
curl
Version:
7.50.0
CPE:
cpe:2.3:a:haxx:curl:7.50.0:*:*:*:*:*:*:*
curl
Version:
8.0.0
CPE:
cpe:2.3:a:haxx:curl:8.0.0:*:*:*:*:*:*:*
curl
Version:
7.64.0
CPE:
cpe:2.3:a:haxx:curl:7.64.0:*:*:*:*:*:*:*
curl
Version:
8.14.1
CPE:
cpe:2.3:a:haxx:curl:8.14.1:*:*:*:*:*:*:*
curl
Version:
7.65.0
CPE:
cpe:2.3:a:haxx:curl:7.65.0:*:*:*:*:*:*:*
curl
Version:
7.63.0
CPE:
cpe:2.3:a:haxx:curl:7.63.0:*:*:*:*:*:*:*
curl
Version:
7.88.1
CPE:
cpe:2.3:a:haxx:curl:7.88.1:*:*:*:*:*:*:*
curl
Version:
7.37.1
CPE:
cpe:2.3:a:haxx:curl:7.37.1:*:*:*:*:*:*:*
curl
Version:
7.79.1
CPE:
cpe:2.3:a:haxx:curl:7.79.1:*:*:*:*:*:*:*
curl
Version:
7.33.0
CPE:
cpe:2.3:a:haxx:curl:7.33.0:*:*:*:*:*:*:*
curl
Version:
7.77.0
CPE:
cpe:2.3:a:haxx:curl:7.77.0:*:*:*:*:*:*:*
curl
Version:
7.49.0
CPE:
cpe:2.3:a:haxx:curl:7.49.0:*:*:*:*:*:*:*
curl
Version:
8.0.1
CPE:
cpe:2.3:a:haxx:curl:8.0.1:*:*:*:*:*:*:*
curl
Version:
7.50.1
CPE:
cpe:2.3:a:haxx:curl:7.50.1:*:*:*:*:*:*:*
curl
Version:
7.42.0
CPE:
cpe:2.3:a:haxx:curl:7.42.0:*:*:*:*:*:*:*
curl
Version:
7.65.3
CPE:
cpe:2.3:a:haxx:curl:7.65.3:*:*:*:*:*:*:*
curl
Version:
7.84.0
CPE:
cpe:2.3:a:haxx:curl:7.84.0:*:*:*:*:*:*:*
curl
Version:
7.82.0
CPE:
cpe:2.3:a:haxx:curl:7.82.0:*:*:*:*:*:*:*
curl
Version:
7.50.3
CPE:
cpe:2.3:a:haxx:curl:7.50.3:*:*:*:*:*:*:*
curl
Version:
8.4.0
CPE:
cpe:2.3:a:haxx:curl:8.4.0:*:*:*:*:*:*:*
curl
Version:
8.5.0
CPE:
cpe:2.3:a:haxx:curl:8.5.0:*:*:*:*:*:*:*
curl
Version:
7.74.0
CPE:
cpe:2.3:a:haxx:curl:7.74.0:*:*:*:*:*:*:*
curl
Version:
8.10.0
CPE:
cpe:2.3:a:haxx:curl:8.10.0:*:*:*:*:*:*:*
curl
Version:
7.43.0
CPE:
cpe:2.3:a:haxx:curl:7.43.0:*:*:*:*:*:*:*
curl
Version:
7.55.1
CPE:
cpe:2.3:a:haxx:curl:7.55.1:*:*:*:*:*:*:*
curl
Version:
7.54.0
CPE:
cpe:2.3:a:haxx:curl:7.54.0:*:*:*:*:*:*:*
curl
Version:
7.75.0
CPE:
cpe:2.3:a:haxx:curl:7.75.0:*:*:*:*:*:*:*
curl
Version:
7.69.1
CPE:
cpe:2.3:a:haxx:curl:7.69.1:*:*:*:*:*:*:*
curl
Version:
8.1.1
CPE:
cpe:2.3:a:haxx:curl:8.1.1:*:*:*:*:*:*:*
curl
Version:
7.47.1
CPE:
cpe:2.3:a:haxx:curl:7.47.1:*:*:*:*:*:*:*
curl
Version:
7.59.0
CPE:
cpe:2.3:a:haxx:curl:7.59.0:*:*:*:*:*:*:*
curl
Version:
7.34.0
CPE:
cpe:2.3:a:haxx:curl:7.34.0:*:*:*:*:*:*:*
curl
Version:
7.70.0
CPE:
cpe:2.3:a:haxx:curl:7.70.0:*:*:*:*:*:*:*
curl
Version:
7.87.0
CPE:
cpe:2.3:a:haxx:curl:7.87.0:*:*:*:*:*:*:*
curl
Version:
7.41.0
CPE:
cpe:2.3:a:haxx:curl:7.41.0:*:*:*:*:*:*:*
curl
Version:
7.69.0
CPE:
cpe:2.3:a:haxx:curl:7.69.0:*:*:*:*:*:*:*
curl
Version:
7.61.1
CPE:
cpe:2.3:a:haxx:curl:7.61.1:*:*:*:*:*:*:*
curl
Version:
7.52.0
CPE:
cpe:2.3:a:haxx:curl:7.52.0:*:*:*:*:*:*:*
curl
Version:
7.44.0
CPE:
cpe:2.3:a:haxx:curl:7.44.0:*:*:*:*:*:*:*
curl
Version:
8.12.1
CPE:
cpe:2.3:a:haxx:curl:8.12.1:*:*:*:*:*:*:*
curl
Version:
7.56.0
CPE:
cpe:2.3:a:haxx:curl:7.56.0:*:*:*:*:*:*:*
curl
Version:
7.37.0
CPE:
cpe:2.3:a:haxx:curl:7.37.0:*:*:*:*:*:*:*
curl
Version:
7.68.0
CPE:
cpe:2.3:a:haxx:curl:7.68.0:*:*:*:*:*:*:*
curl
Version:
7.56.1
CPE:
cpe:2.3:a:haxx:curl:7.56.1:*:*:*:*:*:*:*
curl
Version:
7.40.0
CPE:
cpe:2.3:a:haxx:curl:7.40.0:*:*:*:*:*:*:*
curl
Version:
7.62.0
CPE:
cpe:2.3:a:haxx:curl:7.62.0:*:*:*:*:*:*:*
curl
Version:
7.76.1
CPE:
cpe:2.3:a:haxx:curl:7.76.1:*:*:*:*:*:*:*
curl
Version:
7.66.0
CPE:
cpe:2.3:a:haxx:curl:7.66.0:*:*:*:*:*:*:*
curl
Version:
7.72.0
CPE:
cpe:2.3:a:haxx:curl:7.72.0:*:*:*:*:*:*:*
curl
Version:
7.55.0
CPE:
cpe:2.3:a:haxx:curl:7.55.0:*:*:*:*:*:*:*
curl
Version:
7.45.0
CPE:
cpe:2.3:a:haxx:curl:7.45.0:*:*:*:*:*:*:*
curl
Version:
8.1.0
CPE:
cpe:2.3:a:haxx:curl:8.1.0:*:*:*:*:*:*:*
curl
Version:
7.81.0
CPE:
cpe:2.3:a:haxx:curl:7.81.0:*:*:*:*:*:*:*
curl
Version:
7.47.0
CPE:
cpe:2.3:a:haxx:curl:7.47.0:*:*:*:*:*:*:*
curl
Version:
7.85.0
CPE:
cpe:2.3:a:haxx:curl:7.85.0:*:*:*:*:*:*:*
curl
Version:
8.12.0
CPE:
cpe:2.3:a:haxx:curl:8.12.0:*:*:*:*:*:*:*
curl
Version:
7.67.0
CPE:
cpe:2.3:a:haxx:curl:7.67.0:*:*:*:*:*:*:*
curl
Version:
7.88.0
CPE:
cpe:2.3:a:haxx:curl:7.88.0:*:*:*:*:*:*:*
curl
Version:
7.65.1
CPE:
cpe:2.3:a:haxx:curl:7.65.1:*:*:*:*:*:*:*
curl
Version:
8.8.0
CPE:
cpe:2.3:a:haxx:curl:8.8.0:*:*:*:*:*:*:*
curl
Version:
7.79.0
CPE:
cpe:2.3:a:haxx:curl:7.79.0:*:*:*:*:*:*:*
curl
Version:
7.57.0
CPE:
cpe:2.3:a:haxx:curl:7.57.0:*:*:*:*:*:*:*
curl
Version:
8.9.0
CPE:
cpe:2.3:a:haxx:curl:8.9.0:*:*:*:*:*:*:*
curl
Version:
7.54.1
CPE:
cpe:2.3:a:haxx:curl:7.54.1:*:*:*:*:*:*:*
curl
Version:
8.7.1
CPE:
cpe:2.3:a:haxx:curl:8.7.1:*:*:*:*:*:*:*
curl
Version:
7.73.0
CPE:
cpe:2.3:a:haxx:curl:7.73.0:*:*:*:*:*:*:*
curl
Version:
7.60.0
CPE:
cpe:2.3:a:haxx:curl:7.60.0:*:*:*:*:*:*:*
curl
Version:
8.6.0
CPE:
cpe:2.3:a:haxx:curl:8.6.0:*:*:*:*:*:*:*
curl
Version:
8.1.2
CPE:
cpe:2.3:a:haxx:curl:8.1.2:*:*:*:*:*:*:*
curl
Version:
7.76.0
CPE:
cpe:2.3:a:haxx:curl:7.76.0:*:*:*:*:*:*:*
curl
Version:
8.9.1
CPE:
cpe:2.3:a:haxx:curl:8.9.1:*:*:*:*:*:*:*
curl
Version:
7.42.1
CPE:
cpe:2.3:a:haxx:curl:7.42.1:*:*:*:*:*:*:*
curl
Version:
7.50.2
CPE:
cpe:2.3:a:haxx:curl:7.50.2:*:*:*:*:*:*:*
curl
Version:
7.35.0
CPE:
cpe:2.3:a:haxx:curl:7.35.0:*:*:*:*:*:*:*
curl
Version:
8.14.0
CPE:
cpe:2.3:a:haxx:curl:8.14.0:*:*:*:*:*:*:*
curl
Version:
7.64.1
CPE:
cpe:2.3:a:haxx:curl:7.64.1:*:*:*:*:*:*:*
curl
Version:
8.11.1
CPE:
cpe:2.3:a:haxx:curl:8.11.1:*:*:*:*:*:*:*
curl
Version:
7.86.0
CPE:
cpe:2.3:a:haxx:curl:7.86.0:*:*:*:*:*:*:*
curl
Version:
8.11.0
CPE:
cpe:2.3:a:haxx:curl:8.11.0:*:*:*:*:*:*:*
curl
Version:
7.65.2
CPE:
cpe:2.3:a:haxx:curl:7.65.2:*:*:*:*:*:*:*
curl
Version:
7.36.0
CPE:
cpe:2.3:a:haxx:curl:7.36.0:*:*:*:*:*:*:*
curl
Version:
7.58.0
CPE:
cpe:2.3:a:haxx:curl:7.58.0:*:*:*:*:*:*:*
curl
Version:
8.13.0
CPE:
cpe:2.3:a:haxx:curl:8.13.0:*:*:*:*:*:*:*
curl
Version:
7.78.0
CPE:
cpe:2.3:a:haxx:curl:7.78.0:*:*:*:*:*:*:*
curl
Version:
7.46.0
CPE:
cpe:2.3:a:haxx:curl:7.46.0:*:*:*:*:*:*:*
curl
Version:
7.71.1
CPE:
cpe:2.3:a:haxx:curl:7.71.1:*:*:*:*:*:*:*
curl
Version:
7.49.1
CPE:
cpe:2.3:a:haxx:curl:7.49.1:*:*:*:*:*:*:*
curl
Version:
7.71.0
CPE:
cpe:2.3:a:haxx:curl:7.71.0:*:*:*:*:*:*:*
curl
Version:
7.39.0
CPE:
cpe:2.3:a:haxx:curl:7.39.0:*:*:*:*:*:*:*
curl
Version:
7.53.1
CPE:
cpe:2.3:a:haxx:curl:7.53.1:*:*:*:*:*:*:*
curl
Version:
8.10.1
CPE:
cpe:2.3:a:haxx:curl:8.10.1:*:*:*:*:*:*:*
curl
Version:
7.83.0
CPE:
cpe:2.3:a:haxx:curl:7.83.0:*:*:*:*:*:*:*
curl
Version:
7.83.1
CPE:
cpe:2.3:a:haxx:curl:7.83.1:*:*:*:*:*:*:*
curl
Version:
7.61.0
CPE:
cpe:2.3:a:haxx:curl:7.61.0:*:*:*:*:*:*:*
curl
Version:
7.38.0
CPE:
cpe:2.3:a:haxx:curl:7.38.0:*:*:*:*:*:*:*
This vulnerability affects 103 software configuration(s). Ensure you patch all affected systems.
Oracle
CPUAPR2026
Oracle Critical Patch Update Advisory - April 2026
Severity
Critical
Released
Apr 21, 2026
Restart Required
Security Update
Canonical (Ubuntu)
USN-8062-1
USN-8062-1: curl vulnerabilities
Severity
Unknown
Released
Feb 25, 2026
Security Update
References & Resources
-
https://curl.se/docs/CVE-2025-14524.html2499f714-1537-4658-8207-48ae4bb9eae9 Vendor Advisory Patch
-
https://curl.se/docs/CVE-2025-14524.json2499f714-1537-4658-8207-48ae4bb9eae9 Vendor Advisory
-
https://hackerone.com/reports/34594172499f714-1537-4658-8207-48ae4bb9eae9 Exploit Issue Tracking Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2026/01/07/4af854a3a-2127-422b-91ae-364da2661108 Mailing List Third Party Advisory Patch
Severity Details
5.3
out of 10.0
Medium
Weakness Type (CWE)
CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
- Description
- The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
- Exploit Likelihood
- Low
- Typical Severity
- High
- Abstraction Level
- Base
Key Information
- Published Date
- January 08, 2026
