CVE-2026-6253 affects versions of cURL between 8.12.0 and 8.19.0. This vulnerability allows credentials intended for one proxy to be inadvertently passed to a subsequent proxy, potentially exposing sensitive information. The issue arises from how cURL handles redirects between different URL schemes when multiple proxies are configured. A fix is available in cURL 8.19.1.
影响与攻击场景翻译中…
An attacker could exploit this vulnerability by crafting a malicious URL that triggers a redirect from one scheme (e.g., HTTP) to another (e.g., HTTPS), leveraging the configured proxy settings. This would cause cURL to forward the credentials of the first proxy to the second proxy, even if the second proxy does not require authentication. The potential impact is significant, as it could allow an attacker to gain unauthorized access to resources protected by the second proxy, potentially leading to data breaches or system compromise. The blast radius depends on the privileges and access granted by the second proxy. This is particularly concerning in environments with strict proxy authentication policies.
利用背景翻译中…
CVE-2026-6253 was published on 2026-05-13. There is currently no public proof-of-concept (POC) code available. The EPSS score is pending evaluation, indicating the current assessment of exploitability is unknown. Monitor security advisories and threat intelligence feeds for any updates regarding active exploitation campaigns.
威胁情报
漏洞利用状态
EPSS
0.02% (4% 百分位)
受影响的软件
弱点分类 (CWE)
时间线
- 已保留
- 发布日期
- EPSS 更新日期
缓解措施和替代方案翻译中…
The primary mitigation is to upgrade to cURL version 8.19.1 or later, which addresses the credential forwarding issue. If upgrading is not immediately feasible, consider implementing stricter proxy authentication policies to minimize the impact of a potential credential leak. Specifically, ensure that all proxies require authentication and that credentials are not inadvertently passed between proxies. Network segmentation can also limit the lateral movement potential if this vulnerability is exploited. Review proxy configurations to ensure proper authentication and authorization policies are in place.
修复方法翻译中…
Actualice a la versión 8.19.1 o superior para evitar la divulgación accidental de credenciales de proxy. Este problema ocurre al seguir redirecciones entre diferentes esquemas de URL cuando se utilizan proxies con y sin credenciales. Asegúrese de que su versión de cURL esté actualizada para mitigar este riesgo.
常见问题翻译中…
What is CVE-2026-6253 — Proxy Credential Leak in cURL?
CVE-2026-6253 is a vulnerability in cURL versions 8.12.0 through 8.19.0 where credentials for a first proxy can be inadvertently passed to a second proxy due to how redirects are handled between different URL schemes. Severity pending evaluation.
Am I affected by CVE-2026-6253 in cURL?
You are affected if you are using cURL versions 8.12.0 to 8.19.0 and have configured multiple proxies with different authentication requirements. Check your cURL version with curl --version.
How do I fix CVE-2026-6253 in cURL?
Upgrade to cURL version 8.19.1 or later to resolve the vulnerability. If immediate upgrade is not possible, review and strengthen proxy authentication policies.
Is CVE-2026-6253 being actively exploited?
Currently, there are no reports of active exploitation or publicly available proof-of-concept code for CVE-2026-6253. However, it's crucial to monitor for updates.
Where can I find the official cURL advisory for CVE-2026-6253?
Refer to the official cURL security advisory for CVE-2026-6253 on the cURL website: https://curl.se/security/.
立即试用 — 无需账户
上传任何清单文件 (composer.lock, package-lock.json, WordPress 插件列表…) 或粘贴您的组件列表。您立即获得一份漏洞报告。上传文件只是开始:拥有账户后,您将获得持续监控、Slack/电子邮件警报、多项目和白标报告。
拖放您的依赖文件
composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...