ALPINE-CVE-2025-0167

ALPINE-CVE-2025-0167 PUBLISHED CVSS 3.4000000953674316 LOW

When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance.

Risk Scores

CVSS v3.1

3.4000000953674316

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

Affected Products

Vendor	Product	Versions
Alpine:v3.18	curl	8.9.1-r1, 8.9.1-r0, 8.9.0-r0
Alpine:v3.20	curl	7.74.0-r0, 7.75.0-r0, 7.76.0-r0
Alpine:v3.22	curl	7.73.0-r0, 8.1.0-r2, 8.9.1-r2
Alpine:v3.21	curl	7.53.0-r0, 7.62.0-r2, 7.63.0-r0
Alpine:v3.23	curl	7.21.7-r2, 7.19.2-r1, 7.19.4-r0
Alpine:v3.19	curl	7.19.2-r0, 8.9.1-r1, 8.9.1-r0

Timeline

Feb 5, 2025 CVE Published
Dec 3, 2025 CVE Updated
Apr 30, 2026 Distribution Patch

References

https://security.alpinelinux.org/vuln/CVE-2025-0167 advisory

Open in Interactive Console →