このページはまだあなたの言語に翻訳されていません。翻訳作業中のため、英語でコンテンツを表示しています。
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2026-6253: Proxy Credential Leak in cURL 8.12.0–8.19.0
プラットフォーム
curl
コンポーネント
curl
修正版
8.19.1
CVE-2026-6253 affects versions of cURL between 8.12.0 and 8.19.0. This vulnerability allows credentials intended for one proxy to be inadvertently passed to a subsequent proxy, potentially exposing sensitive information. The issue arises from how cURL handles redirects between different URL schemes when multiple proxies are configured. A fix is available in cURL 8.19.1.
影響と攻撃シナリオ翻訳中…
An attacker could exploit this vulnerability by crafting a malicious URL that triggers a redirect from one scheme (e.g., HTTP) to another (e.g., HTTPS), leveraging the configured proxy settings. This would cause cURL to forward the credentials of the first proxy to the second proxy, even if the second proxy does not require authentication. The potential impact is significant, as it could allow an attacker to gain unauthorized access to resources protected by the second proxy, potentially leading to data breaches or system compromise. The blast radius depends on the privileges and access granted by the second proxy. This is particularly concerning in environments with strict proxy authentication policies.
悪用の状況翻訳中…
CVE-2026-6253 was published on 2026-05-13. There is currently no public proof-of-concept (POC) code available. The EPSS score is pending evaluation, indicating the current assessment of exploitability is unknown. Monitor security advisories and threat intelligence feeds for any updates regarding active exploitation campaigns.
脅威インテリジェンス
エクスプロイト状況
EPSS
0.02% (4% パーセンタイル)
影響を受けるソフトウェア
弱点分類 (CWE)
タイムライン
- 予約済み
- 公開日
- EPSS 更新日
緩和策と回避策翻訳中…
The primary mitigation is to upgrade to cURL version 8.19.1 or later, which addresses the credential forwarding issue. If upgrading is not immediately feasible, consider implementing stricter proxy authentication policies to minimize the impact of a potential credential leak. Specifically, ensure that all proxies require authentication and that credentials are not inadvertently passed between proxies. Network segmentation can also limit the lateral movement potential if this vulnerability is exploited. Review proxy configurations to ensure proper authentication and authorization policies are in place.
修正方法翻訳中…
Actualice a la versión 8.19.1 o superior para evitar la divulgación accidental de credenciales de proxy. Este problema ocurre al seguir redirecciones entre diferentes esquemas de URL cuando se utilizan proxies con y sin credenciales. Asegúrese de que su versión de cURL esté actualizada para mitigar este riesgo.
よくある質問翻訳中…
What is CVE-2026-6253 — Proxy Credential Leak in cURL?
CVE-2026-6253 is a vulnerability in cURL versions 8.12.0 through 8.19.0 where credentials for a first proxy can be inadvertently passed to a second proxy due to how redirects are handled between different URL schemes. Severity pending evaluation.
Am I affected by CVE-2026-6253 in cURL?
You are affected if you are using cURL versions 8.12.0 to 8.19.0 and have configured multiple proxies with different authentication requirements. Check your cURL version with curl --version.
How do I fix CVE-2026-6253 in cURL?
Upgrade to cURL version 8.19.1 or later to resolve the vulnerability. If immediate upgrade is not possible, review and strengthen proxy authentication policies.
Is CVE-2026-6253 being actively exploited?
Currently, there are no reports of active exploitation or publicly available proof-of-concept code for CVE-2026-6253. However, it's crucial to monitor for updates.
Where can I find the official cURL advisory for CVE-2026-6253?
Refer to the official cURL security advisory for CVE-2026-6253 on the cURL website: https://curl.se/security/.
今すぐ試す — アカウント不要
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
依存関係ファイルをドラッグ&ドロップ
composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...