Skip to main content

CVE-2021-22876: Privacy Violation (CWE-359) in https://github.com/curl/curl

Medium
VulnerabilityCVE-2021-22876cvecve-2021-22876cwe-359
Published: Thu Apr 01 2021 (04/01/2021, 17:45:18 UTC)
Source: CVE Database V5
Vendor/Project: n/a
Product: https://github.com/curl/curl

Description

curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

AI-Powered Analysis

AILast updated: 07/10/2025, 19:33:00 UTC

Technical Analysis

CVE-2021-22876 is a medium-severity vulnerability affecting the curl library versions 7.1.1 through 7.75.0. The issue arises from libcurl's handling of the HTTP Referer header during automatic population in outgoing HTTP requests. Specifically, when libcurl sends a subsequent HTTP request, it automatically sets the Referer header to the URL of the previous request. However, if the previous URL contains embedded user credentials (e.g., username and password in the URL), libcurl does not strip these credentials before including the URL in the Referer header. This behavior results in the unintended leakage of sensitive credentials to the server targeted by the second HTTP request. The vulnerability is classified under CWE-359, which relates to the exposure of private personal information to unauthorized actors. The CVSS v3.1 base score is 5.3, reflecting a network attack vector with low complexity, no privileges or user interaction required, and limited confidentiality impact. There is no known exploitation in the wild reported. The vulnerability primarily threatens confidentiality by exposing credentials embedded in URLs to potentially untrusted servers, which could lead to unauthorized access or further compromise if those credentials are reused or sensitive. The flaw does not affect integrity or availability directly. This vulnerability is relevant for any application or system that uses vulnerable versions of libcurl and passes credentials in URLs, which is generally discouraged but still occurs in some legacy or misconfigured systems. The issue was publicly disclosed in April 2021, and users are advised to upgrade to libcurl versions beyond 7.75.0 where this behavior has been corrected to strip credentials from Referer headers.

Potential Impact

For European organizations, the impact of CVE-2021-22876 centers on the potential exposure of sensitive credentials during HTTP communications involving libcurl. Many European enterprises and public sector entities use curl/libcurl in various software stacks, automation scripts, and network tools. If these systems use vulnerable libcurl versions and embed credentials in URLs, there is a risk that sensitive authentication data could be leaked to unintended servers, possibly including third-party services or internal systems acting as intermediaries. This exposure could facilitate unauthorized access to internal resources or external services, leading to data breaches or lateral movement within networks. The confidentiality breach could be particularly damaging for organizations handling personal data under GDPR, as unauthorized disclosure of credentials may lead to personal data exposure or system compromise. However, the vulnerability does not directly affect system integrity or availability, and exploitation requires the presence of credentials in URLs, which is not a best practice but still occurs. The absence of known active exploits reduces immediate risk, but the vulnerability remains relevant for organizations with legacy systems or custom integrations using vulnerable libcurl versions. Overall, the threat is moderate but should be addressed promptly to prevent potential privacy violations and compliance issues.

Mitigation Recommendations

To mitigate CVE-2021-22876, European organizations should take the following specific actions: 1) Identify and inventory all systems, applications, and scripts using libcurl versions between 7.1.1 and 7.75.0. 2) Upgrade libcurl to version 7.76.0 or later, where the Referer header handling has been fixed to strip user credentials from URLs automatically. 3) Audit application code and configuration to eliminate the practice of embedding credentials directly in URLs, replacing them with more secure authentication methods such as HTTP headers (e.g., Authorization header) or token-based authentication. 4) Review and restrict outgoing HTTP requests to trusted domains only, minimizing the risk of leaking credentials to untrusted servers. 5) Implement network monitoring to detect unusual HTTP Referer headers containing credentials, which may indicate exploitation attempts or misconfigurations. 6) Educate developers and system administrators on secure URL and credential handling practices to prevent recurrence. 7) For legacy systems where upgrading libcurl is not immediately feasible, consider applying custom patches or disabling automatic Referer header population if possible. These targeted measures go beyond generic advice by focusing on eliminating credential exposure in URLs, upgrading vulnerable libraries, and improving monitoring and secure coding practices.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
hackerone
Date Reserved
2021-01-06T00:00:00.000Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68487f5e1b0bd07c3938fad5

Added to database: 6/10/2025, 6:54:22 PM

Last enriched: 7/10/2025, 7:33:00 PM

Last updated: 8/16/2025, 8:42:22 AM

Views: 15

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats