Ecosystem	Package	Version

Vulnerabilities

CVE-2025-14524

CVE-2025-14524

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.

Published Jan 8, 2026

https://curl.se/docs/CVE-2025-14524.html

CVSS ScoreMedium

5.3

Ecosystem	Package	Version


conan	bincrafters/libcurl	7.50.3
conan	bincrafters/libcurl	7.52.1
conan	bincrafters/libcurl	7.56.1
conan	bincrafters/libcurl	7.60.0
conan	bincrafters/libcurl	7.61.1
conan	bincrafters/libcurl	7.64.1
conan	bincrafters/libcurl	7.66.0
rpm	curl	7.61.1-11.el8
rpm	curl	7.61.1-12.el8
rpm	curl	7.61.1-14.el8
rpm	curl	7.61.1-14.el8_3.1
rpm	curl	7.61.1-18.el8
rpm	curl	7.61.1-18.el8_4.1
rpm	curl	7.61.1-18.el8_4.2
rpm	curl	7.61.1-22.el8
rpm	curl	7.61.1-22.el8_6.3
rpm	curl	7.61.1-22.el8_6.4
rpm	curl	7.61.1-25.el8
rpm	curl	7.61.1-25.el8_7.1
rpm	curl	7.61.1-25.el8_7.2
rpm	curl	7.61.1-25.el8_7.3
rpm	curl	7.61.1-30.el8
rpm	curl	7.61.1-30.el8_8.2
rpm	curl	7.61.1-30.el8_8.3
rpm	curl	7.61.1-33.el8
rpm	curl	7.61.1-33.el8_9.5
rpm	curl	7.61.1-34.el8
rpm	curl	7.61.1-34.el8_10.10
rpm	curl	7.61.1-34.el8_10.2
rpm	curl	7.61.1-34.el8_10.3
rpm	curl	7.61.1-34.el8_10.8
rpm	curl	7.61.1-34.el8_10.9
rpm	curl	7.61.1-8.el8
rpm	curl	7.76.1-14.el9
rpm	curl	7.76.1-14.el9_0.4
rpm	curl	7.76.1-14.el9_0.5
rpm	curl	7.76.1-19.el9
rpm	curl	7.76.1-19.el9_1.1
rpm	curl	7.76.1-19.el9_1.2
rpm	curl	7.76.1-23.el9
rpm	curl	7.76.1-23.el9_2.1
rpm	curl	7.76.1-23.el9_2.2
rpm	curl	7.76.1-23.el9_2.4
rpm	curl	7.76.1-26.el9
rpm	curl	7.76.1-26.el9_3.2
rpm	curl	7.76.1-26.el9_3.3
rpm	curl	7.76.1-29.el9_4.1
rpm	curl	7.76.1-29.el9_4
rpm	curl	7.76.1-31.el9
rpm	curl	7.76.1-31.el9_6.1

CVE-2025-14524 | Components Impacted | Sonatype Guide | Sonatype Guide