CVE-2024-11053 [Low] | Information Disclosure in Curl

When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.

EDB-ID	Source	Kind	Published	Link
—	nvd_ref	exploit_tag		Exploit-DB ↗

EDB-ID

Source

Kind

Published

Link

—

nvd_ref

exploit_tag

Exploit-DB ↗

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-05-22	1.29%	1.40%	+0.11%
2	2026-05-02	0.95%	1.29%	+0.34%
3	2026-03-06	—	0.95%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-05-22

1.29%

1.40%

+0.11%

2026-05-02

0.95%

1.29%

+0.34%

2026-03-06

—

0.95%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
3.4	3.1	LOW	`CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:H) Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:R) A real person has to do something—click, install, enable—otherwise it doesn’t land. Scope (S:C) Breaking this can reach past the original component and bite other resources—bigger blast radius. Confidentiality (C:L) Some sensitive info could get out, but not a total data dump. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:N) Service keeps running; no real outage angle.	1.6	1.4	134c704f-9b21-4f2e-91b3-4a467353bcc0

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

3.4

3.1

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H): Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R): A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:C): Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:L): Some sensitive info could get out, but not a total data dump.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:N): Service keeps running; no real outage angle.

1.6

1.4

134c704f-9b21-4f2e-91b3-4a467353bcc0

OS Trackers for CVE-2024-11053

vendor	priority	summary	link
`alpine`	—	CVE-2024-11053: 1 source package rows (curl); 235 state rows across 6 repos (3.18-main, 3.19-main, 3.20-main, 3.21-main, 3.22-main, edge-main); fixed 6, open 229.	https://security.alpinelinux.org/vuln/CVE-2024-11053
`debian`	unimportant	CVE-2024-11053 unimportant priority: Debian including 1 source packages (curl), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2024-11053
`redhat`	low	—	https://access.redhat.com/security/cve/CVE-2024-11053
`suse`	medium	CVE-2024-11053 severity moderate: SUSE including 402 source package names (0.0.17-1.1:curl-8.6.0-150600.4.15.1, 0.0.17-1.1:libcurl4-8.6.0-150600.4.15.1, …), 968 product×package rows across 327 product lines (Container bci/gcc, Container bci/golang, … (327 product lines)): Fixed 744, Known Affected 221, Known Not Affected 2, First Fixed 1.	https://www.suse.com/security/cve/CVE-2024-11053/
`ubuntu`	low	CVE-2024-11053 low priority: Ubuntu including 1 source packages (curl), 10 status rows across 10 suites (bionic, focal, jammy, noble, oracular, plucky, questing, trusty, upstream, xenial): released 6, needs-triage 4.	https://ubuntu.com/security/CVE-2024-11053

Affected software / configurations for CVE-2024-11053

Vendor	Product	Version	Raw CPE
haxx	curl	>= 7.76.0, < 8.11.1	cpe:2.3:a:haxx:curl::::::::
netapp	ontap	9	cpe:2.3:a:netapp:ontap:9:::::::*
netapp	ontap_select_deploy_administration_utility	—	cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:::::::*
netapp	h610c_firmware	—	cpe:2.3:o:netapp:h610c_firmware:-:::::::*
netapp	h610s_firmware	—	cpe:2.3:o:netapp:h610s_firmware:-:::::::*
netapp	h615c_firmware	—	cpe:2.3:o:netapp:h615c_firmware:-:::::::*
netapp	h700s_firmware	—	cpe:2.3:o:netapp:h700s_firmware:-:::::::*
netapp	bootstrap_os	—	cpe:2.3:o:netapp:bootstrap_os:-:::::::*
netapp	h300s_firmware	—	cpe:2.3:o:netapp:h300s_firmware:-:::::::*
netapp	h410s_firmware	—	cpe:2.3:o:netapp:h410s_firmware:-:::::::*
netapp	h500s_firmware	—	cpe:2.3:o:netapp:h500s_firmware:-:::::::*

References for CVE-2024-11053

URL	Tags
https://curl.se/docs/CVE-2024-11053.html	Vendor Advisory
https://curl.se/docs/CVE-2024-11053.json	Vendor Advisory
https://hackerone.com/reports/2829063	Exploit Issue Tracking Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/12/11/1	Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20250124-0012/	Third Party Advisory
https://security.netapp.com/advisory/ntap-20250131-0003/	Third Party Advisory
https://security.netapp.com/advisory/ntap-20250131-0004/

URL

CVE-2024-11053 | netrc and redirect credential leak

Public exploit references (Exploit-DB) for CVE-2024-11053

Exploit prediction scoring system (EPSS) score for CVE-2024-11053

Common vulnerability scoring system (CVSS) metrics for CVE-2024-11053

Weakness enumeration for CVE-2024-11053

OS Trackers for CVE-2024-11053

Affected software / configurations for CVE-2024-11053

References for CVE-2024-11053