Craig De Stigter

**Name of the Vulnerable Software and Affected Versions** libcurl versions 7.1 through 7.57.0 **Description** The issue is related to insufficient protection of registration data in the libcurl library. This could allow a remote attacker to gain unauthorized access to protected information. When libcurl is asked to send custom headers in its HTTP requests, it will send that set of headers first to the host in the initial URL and also to the host mentioned in the URL in the `Location:` response header value if a 30X HTTP response code is returned and redirects are followed. This is particularly problematic for applications that pass on custom `Authorization:` headers, as this header often contains sensitive information or data that could allow others to impersonate the client's request. **Recommendations** For libcurl versions 7.1 through 7.57.0, consider disabling the sending of custom `Authorization:` headers when following redirects as a temporary workaround until a patch is available. Restrict access to sensitive information that could be leaked through the `Authorization:` header to minimize the risk of exploitation.