CVE-2009-0037
Description
The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is enabled, accepts arbitrary Location values, which might allow remote HTTP servers to (1) trigger arbitrary requests to intranet servers, (2) read or overwrite arbitrary files via a redirect to a file: URL, or (3) execute arbitrary commands via a redirect to an scp: URL.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.
✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
cURL/libcURL 7.19.3 - HTTP 'Location:' Redirect Security Bypass
source: https://www.securityfocus.com/bid/33962/info
cURL/libcURL is prone to a security-bypass vulnerability.
Remote attackers can exploit this issue to bypass certain security restrictions and carry out various attacks.
This issue affects cURL/libcURL 5.11 through 7.19.3. Other versions may also be vulnerable.
The following example redirection request may be used to carry out this attack:
Location: scp://name:passwd@host/a'``;date >/tmp/test``;' OS impact
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 7.18.2-8.1 |
| sid | Fixed | 7.18.2-8.1 |
| forky | Fixed | 7.18.2-8.1 |
| bullseye | Fixed | 7.18.2-8.1 |
| bookworm | Fixed | 7.18.2-8.1 |
References
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.