JLSEC-2026-413

See a problem?
Please try reporting it to the source first.

Source

https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2026/JLSEC-2026-413.md

Import Source

https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-413.json

JSON Data

https://api.osv.dev/v1/vulns/JLSEC-2026-413

Upstream

CVE-2024-11053

EUVD-2024-34411

GHSA-h288-5fq8-5pfw

Published

2026-05-04T13:12:06.605Z

Modified

2026-05-04T13:32:47.593073680Z

Severity

3.4 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N CVSS Calculator

Summary

When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could...

Details

When asked to both use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances.

This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.

Database specific

{
    "sources": [
        {
            "id": "CVE-2024-11053",
            "database_specific": {
                "status": "Modified"
            },
            "imported": "2026-05-02T08:39:48.725Z",
            "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2024-11053",
            "html_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11053",
            "modified": "2025-11-03T21:16:04.243Z",
            "published": "2024-12-11T08:15:05.307Z"
        },
        {
            "id": "GHSA-h288-5fq8-5pfw",
            "imported": "2026-05-02T08:42:52.155Z",
            "url": "https://api.github.com/advisories/GHSA-h288-5fq8-5pfw",
            "html_url": "https://github.com/advisories/GHSA-h288-5fq8-5pfw",
            "modified": "2025-11-03T21:32:46Z",
            "published": "2024-12-11T09:32:03Z"
        },
        {
            "id": "EUVD-2024-34411",
            "imported": "2026-05-02T08:42:03.140Z",
            "url": "https://euvdservices.enisa.europa.eu/api/enisaid?id=EUVD-2024-34411",
            "html_url": "https://euvd.enisa.europa.eu/vulnerability/EUVD-2024-34411",
            "modified": "2025-11-03T20:36:27Z",
            "published": "2024-12-11T07:34:29Z"
        }
    ],
    "license": "CC-BY-4.0"
}

References

Affected packages

Julia / CURL_jll

Package

Name: CURL_jll
Purl: pkg:julia/CURL_jll?uuid=b21e61f3-bafc-59ac-ab14-4c5c62d6588d

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.11.1+0

Database specific

source

"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-413.json"

Julia / LibCURL_jll

Package

Name: LibCURL_jll
Purl: pkg:julia/LibCURL_jll?uuid=deac9b47-8bc7-5906-a0fe-35ac56dc84c0

Affected ranges

Type: SEMVER
Events: Introduced

7.81.0+0

Fixed

8.11.1+0

Database specific

source

"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-413.json"