Viktor Szakats

**Name of the Vulnerable Software and Affected Versions** curl versions 7.1.1 through 7.75.0 **Description** The issue is related to the exposure of private personal information to an unauthorized actor by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the `Referer:` HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. This can be exploited by a remote attacker to gain access to confidential data. **Recommendations** For curl versions 7.1.1 through 7.75.0, consider disabling the automatic population of the `Referer:` HTTP request header field by not setting the `CURLOPT AUTOREFERER` option or by not using the `--referer ";auto"` option with the curl tool, until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.