Back to search
CVE-2021-22876
Published: Apr 1, 2021
Modified: Jun 9, 2025
PUBLISHED
Description
curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.
| Vendor | Product | Versions |
|---|---|---|
n/a | https://github.com/curl/curl | affected 7.1.1 to and including 7.75.0 |
Weaknesses (CWE)
References
https://hackerone.com/reports/1101882
x_refsource_MISC
https://curl.se/docs/CVE-2021-22876.html
x_refsource_MISC
FEDORA-2021-cab5c9befb
vendor-advisory
x_refsource_FEDORA
FEDORA-2021-065371f385
vendor-advisory
x_refsource_FEDORA
FEDORA-2021-26a293c72b
vendor-advisory
x_refsource_FEDORA
[debian-lts-announce] 20210517 [SECURITY] [DLA 2664-1] curl security update
mailing-list
x_refsource_MLIST
GLSA-202105-36
vendor-advisory
x_refsource_GENTOO
https://www.oracle.com//security-alerts/cpujul2021.html
x_refsource_MISC
https://security.netapp.com/advisory/ntap-20210521-0007/
x_refsource_CONFIRM
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
x_refsource_CONFIRM
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now