DEBIAN-CVE-2009-0037

DEBIAN-CVE-2009-0037 PUBLISHED CVSS 9.300000190734863 CRITICAL

The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is enabled, accepts arbitrary Location values, which might allow remote HTTP servers to (1) trigger arbitrary requests to intranet servers, (2) read or overwrite arbitrary files via a redirect to a file: URL, or (3) execute arbitrary commands via a redirect to an scp: URL.

Risk Scores

CVSS v4.0

9.300000190734863

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products

Vendor	Product	Versions
Debian:12	curl	0, 0, 0
Debian:13	curl	0, 0, 0
Debian:14	curl	0, 0, 0
Debian:11	curl	0, 0, 0

Exploit Intelligence

glcve_test.go (github-poc)

Timeline

Mar 5, 2009 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2009-0037 advisory

Open in Interactive Console →