MediumPublic exploit

curl OAuth2 Bearer Token Leak on Cross-Protocol Redirect

IdentifiersCVE-2025-14524CWE-522

CVE-2025-14524 is a credential leakage vulnerability in curl/libcurl. When an HTTP or HTTPS transfer uses an OAuth2 bearer token and follows a cross-protocol redirect to a second URL using the IMAP, LDAP, POP3, or SMTP scheme, curl may incorrectly forward the bearer token to the redirected target host. According to the provided content, the issue affects curl versions 7.33.0 through 8.17.0 and impacts both the curl command-line tool and applications using libcurl. The flaw is triggered in redirect-handling logic during protocol changes and can result in the Authorization bearer credential being sent over an unintended connection.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can disclose an OAuth2 bearer token to an unintended remote host reached through the redirect chain. An attacker controlling or influencing the redirect target may obtain the leaked token and use it for unauthorized access to resources associated with that token. The primary impact is exposure of sensitive credentials rather than direct code execution or memory corruption.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, avoid using OAuth2 bearer tokens in curl transfers that may follow redirects. Disable automatic redirect following where feasible, and do not permit or strictly restrict cross-protocol redirects from HTTP(S) to IMAP, LDAP, POP3, or SMTP. Limit allowed redirect protocols and targets to trusted destinations only.

Remediation

Patch, then assume compromise.

Upgrade curl to version 8.18.0 or later, which contains the fix for this issue. For downstream products bundling curl, apply the vendor-provided security update that incorporates the corrected curl release or backported patch.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

CurlCurlapplication

HaxxCurlapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

30 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

30 SOURCESView more in app

cyber security newsNews

Apr 2, 2026

Apple Expands iOS 18.7.7 Update to More Devices to Shield Users from DarkSword Exploit

A curl vulnerability that may cause unintended transmission of sensitive data over incorrect connections.

apple supportNews

Apr 1, 2026

About the security content of iOS 18.7.7 and iPadOS 18.7.7 - Apple Support

A third-party curl vulnerability that may unintentionally send sensitive information via an incorrect connection.

apple supportNews

Mar 24, 2026

About the security content of macOS Sequoia 15.7.5 - Apple Support (CA)

A curl open source vulnerability affecting Apple software on macOS Sequoia that may result in unintentionally sending sensitive information via an incorrect connection.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity26