CURL-CVE-2015-3153

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2015-3153.html

Import Source

https://curl.se/docs/CURL-CVE-2015-3153.json

JSON Data

https://api.osv.dev/v1/vulns/CURL-CVE-2015-3153

Aliases

CVE-2015-3153

Published

2015-04-29T08:00:00Z

Modified

2026-05-27T02:29:39.446389Z

Summary

sensitive HTTP server headers also sent to proxies

Details

libcurl provides applications a way to set custom HTTP headers to be sent to the server by using CURLOPT_HTTPHEADER. A similar option is available for the curl command-line tool with the '--header' option.

When the connection passes through an HTTP proxy the same set of headers is sent to the proxy as well by default. While this is by design, it has not necessarily been clear nor understood by application programmers.

Such tunneling over a proxy is done for example when using the HTTPS protocol - or when explicitly asked for. In this case, the initial connection to the proxy is made in clear including any custom headers using the HTTP CONNECT method.

While libcurl provides the CURLOPT_HEADEROPT option to allow applications to tell libcurl if the headers should be sent to host and the proxy or use separate lists to the different destinations, it has still defaulted to sending the same headers to both parties for the sake of compatibility.

If the application sets a custom HTTP header with sensitive content (e.g., authentication cookies) without changing the default, the proxy, and anyone who listens to the traffic between the application and the proxy, might get access to those values.

Note: this problem does not exist when using the CURLOPT_COOKIE option (or the --cookie option) or the HTTP auth options, which are always sent only to the destination server.

Database specific

{
    "severity": "High",
    "www": "https://curl.se/docs/CVE-2015-3153.html",
    "CWE": {
        "id": "CWE-201",
        "desc": "Information Exposure Through Sent Data"
    },
    "URL": "https://curl.se/docs/CVE-2015-3153.json",
    "affects": "both",
    "package": "curl",
    "last_affected": "7.42.0"
}

References

Credits

- Yehezkel Horowitz - FINDER
- Oren Souroujon - FINDER
- Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

4.0

Fixed

7.42.1

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

ae1912cb0d494b48d514d937826c9fe83ec96c4d

Fixed

6ba2e88a642434bd0ffa95465e4a7d034d03ea10

Fixed

69a2e8d7ec581695a62527cb2252e7350f314ffa

Affected versions

4.*

4.0

4.1

4.10

4.2

4.3

4.4

4.5

4.5.1

4.6

4.7

4.8

4.8.1

4.8.2

4.8.3

4.8.4

4.9

5.*

5.0

5.10

5.11

5.2

5.2.1

5.3

5.4

5.5

5.5.1

5.7

5.7.1

5.8

5.9

5.9.1

6.*

6.0

6.1

6.2

6.3

6.3.1

6.4

6.5

6.5.1

6.5.2

7.*

7.1

7.1.1

7.10

7.10.1

7.10.2

7.10.3

7.10.4

7.10.5

7.10.6

7.10.7

7.10.8

7.11.0

7.11.1

7.11.2

7.12.0

7.12.1

7.12.2

7.12.3

7.13.0

7.13.1

7.13.2

7.14.0

7.14.1

7.15.0

7.15.1

7.15.2

7.15.3

7.15.4

7.15.5

7.16.0

7.16.1

7.16.2

7.16.3

7.16.4

7.17.0

7.17.1

7.18.0

7.18.1

7.18.2

7.19.0

7.19.1

7.19.2

7.19.3

7.19.4

7.19.5

7.19.6

7.19.7

7.2

7.2.1

7.20.0

7.20.1

7.21.0

7.21.1

7.21.2

7.21.3

7.21.4

7.21.5

7.21.6

7.21.7

7.22.0

7.23.0

7.23.1

7.24.0

7.25.0

7.26.0

7.27.0

7.28.0

7.28.1

7.29.0

7.3

7.30.0

7.31.0

7.32.0

7.33.0

7.34.0

7.35.0

7.36.0

7.37.0

7.37.1

7.38.0

7.39.0

7.4

7.4.1

7.4.2

7.40.0

7.41.0

7.42.0

7.5

7.5.1

7.5.2

7.6

7.6.1

7.7

7.7.1

7.7.2

7.7.3

7.8

7.8.1

7.9

7.9.1

7.9.2

7.9.3

7.9.4

7.9.5

7.9.6

7.9.7

7.9.8

Other

before_ftp_statemachine

before_urldata_rename

curl-6_5

curl-6_5_1

curl-6_5_2

curl-7_10

curl-7_10_1

curl-7_10_2

curl-7_10_3

curl-7_10_4

curl-7_10_5

curl-7_10_6

curl-7_10_7

curl-7_10_8

curl-7_11_0

curl-7_11_1

curl-7_11_2

curl-7_12_0

curl-7_12_1

curl-7_12_2

curl-7_12_3

curl-7_13_0

curl-7_13_1

curl-7_13_2

curl-7_14_0

curl-7_14_1

curl-7_15_0

curl-7_15_1

curl-7_15_2

curl-7_15_3

curl-7_15_4

curl-7_15_5

curl-7_15_6-prepipeline

curl-7_16_0

curl-7_16_1

curl-7_16_2

curl-7_16_3

curl-7_16_4

curl-7_17_0

curl-7_17_0-preldapfix

curl-7_17_1

curl-7_18_0

curl-7_18_1

curl-7_18_2

curl-7_19_0

curl-7_19_1

curl-7_19_2

curl-7_19_3

curl-7_19_4

curl-7_19_5

curl-7_19_6

curl-7_19_7

curl-7_1_1

curl-7_2

curl-7_20_0

curl-7_20_1

curl-7_21_0

curl-7_21_1

curl-7_21_2

curl-7_21_3

curl-7_21_4

curl-7_21_5

curl-7_21_6

curl-7_21_7

curl-7_22_0

curl-7_23_0

curl-7_23_1

curl-7_24_0

curl-7_25_0

curl-7_26_0

curl-7_27_0

curl-7_28_0

curl-7_28_1

curl-7_29_0

curl-7_3

curl-7_30_0

curl-7_31_0

curl-7_32_0

curl-7_33_0

curl-7_34_0

curl-7_35_0

curl-7_36_0

curl-7_37_0

curl-7_37_1

curl-7_38_0

curl-7_39_0

curl-7_40_0

curl-7_41_0

curl-7_42_0

curl-7_4_1

curl-7_5

curl-7_5_2

curl-7_6

curl-7_6-pre4

curl-7_6_1

curl-7_6_1-pre1

curl-7_6_1-pre2

curl-7_6_1-pre3

curl-7_7

curl-7_7-beta1

curl-7_7-beta2

curl-7_7-beta3

curl-7_7-beta5

curl-7_7_1

curl-7_7_2

curl-7_7_3

curl-7_7_alpha2

curl-7_8

curl-7_8-pre2

curl-7_8_1

curl-7_8_1-pre3

curl-7_9

curl-7_9_1

curl-7_9_2

curl-7_9_3

curl-7_9_3-pre1

curl-7_9_3-pre2

curl-7_9_3-pre3

curl-7_9_4

curl-7_9_5

curl-7_9_5-pre2

curl-7_9_5-pre4

curl-7_9_6

curl-7_9_7

curl-7_9_7-pre2

curl-7_9_8

curl_7_6-pre3

Database specific

source

"https://curl.se/docs/CURL-CVE-2015-3153.json"

vanir_signatures_modified

"2026-05-27T02:29:39Z"

vanir_signatures

[
    {
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/curl/curl.git/commit/69a2e8d7ec581695a62527cb2252e7350f314ffa",
        "digest": {
            "function_hash": "98044783771648908736397801533184611125",
            "length": 1276.0
        },
        "id": "CURL-CVE-2015-3153-0d6346ca",
        "deprecated": false,
        "target": {
            "file": "tests/libtest/lib1527.c",
            "function": "test"
        }
    },
    {
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/curl/curl.git/commit/6ba2e88a642434bd0ffa95465e4a7d034d03ea10",
        "digest": {
            "function_hash": "112562045243783054185468152969743205243",
            "length": 2566.0
        },
        "id": "CURL-CVE-2015-3153-536e1702",
        "deprecated": false,
        "target": {
            "file": "lib/url.c",
            "function": "Curl_init_userdefined"
        }
    },
    {
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/curl/curl.git/commit/6ba2e88a642434bd0ffa95465e4a7d034d03ea10",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "235776317782695064748682045941291273372",
                "313476709949763530481507662607641516986",
                "224412127183252428235313325283823781033",
                "292226583050003026211110279524150168941"
            ]
        },
        "id": "CURL-CVE-2015-3153-a7c24e28",
        "deprecated": false,
        "target": {
            "file": "lib/url.c"
        }
    },
    {
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/curl/curl.git/commit/6ba2e88a642434bd0ffa95465e4a7d034d03ea10",
        "digest": {
            "function_hash": "98044783771648908736397801533184611125",
            "length": 1276.0
        },
        "id": "CURL-CVE-2015-3153-b3e82869",
        "deprecated": false,
        "target": {
            "file": "tests/libtest/lib1527.c",
            "function": "test"
        }
    },
    {
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/curl/curl.git/commit/6ba2e88a642434bd0ffa95465e4a7d034d03ea10",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "184837749055694259736647071052214275989",
                "302681778085958670063024681149007089641",
                "216082381897291005259430578210534282846",
                "137813027445489953342252715511805106260"
            ]
        },
        "id": "CURL-CVE-2015-3153-d0016f9f",
        "deprecated": false,
        "target": {
            "file": "tests/libtest/lib1527.c"
        }
    },
    {
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/curl/curl.git/commit/69a2e8d7ec581695a62527cb2252e7350f314ffa",
        "digest": {
            "function_hash": "299735180627435421982098196327802998973",
            "length": 2306.0
        },
        "id": "CURL-CVE-2015-3153-e2fbacef",
        "deprecated": false,
        "target": {
            "file": "lib/url.c",
            "function": "Curl_init_userdefined"
        }
    },
    {
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/curl/curl.git/commit/69a2e8d7ec581695a62527cb2252e7350f314ffa",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "184837749055694259736647071052214275989",
                "302681778085958670063024681149007089641",
                "216082381897291005259430578210534282846",
                "137813027445489953342252715511805106260"
            ]
        },
        "id": "CURL-CVE-2015-3153-f0e3ead5",
        "deprecated": false,
        "target": {
            "file": "tests/libtest/lib1527.c"
        }
    },
    {
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/curl/curl.git/commit/69a2e8d7ec581695a62527cb2252e7350f314ffa",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "235776317782695064748682045941291273372",
                "313476709949763530481507662607641516986",
                "224412127183252428235313325283823781033",
                "292226583050003026211110279524150168941"
            ]
        },
        "id": "CURL-CVE-2015-3153-ff72c52a",
        "deprecated": false,
        "target": {
            "file": "lib/url.c"
        }
    }
]