CVE-2009-0037

curl 5.11-7.19.3 - Remote Request Smuggling via Redirect Location Header

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-0037. PoCs published by David Kierznowski.

AI-analyzed exploit summary This exploit demonstrates a security-bypass vulnerability in cURL/libcURL by leveraging a crafted redirection request to inject arbitrary commands via the SCP protocol handler. The payload bypasses security restrictions by embedding shell commands in the URL.

Description

The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is enabled, accepts arbitrary Location values, which might allow remote HTTP servers to (1) trigger arbitrary requests to intranet servers, (2) read or overwrite arbitrary files via a redirect to a file: URL, or (3) execute arbitrary commands via a redirect to an scp: URL.

Exploits (1)

exploitdb WORKING POC VERIFIED

by David Kierznowski · textremotelinux

https://www.exploit-db.com/exploits/32834

View Code ZIP pw:eip

This exploit demonstrates a security-bypass vulnerability in cURL/libcURL by leveraging a crafted redirection request to inject arbitrary commands via the SCP protocol handler. The payload bypasses security restrictions by embedding shell commands in the URL.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: cURL/libcURL 5.11 through 7.19.3

No auth needed

Prerequisites: A vulnerable version of cURL/libcURL · Ability to send a crafted redirection request

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (32)

Core 32

Core References

Vendor Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-726-1

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/34259

Patch, Vendor Advisory x_refsource_confirm

http://curl.haxx.se/lxr/source/CHANGES

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/35766

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/34255

Vendor Advisory vendor-advisory x_refsource_redhat

http://www.redhat.com/support/errata/RHSA-2009-0341.html

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2009/dsa-1738

Various Sources x_refsource_misc

http://www.withdk.com/2009/03/03/curllibcurl-redirect-arbitrary-file-access/

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/49030

Third Party Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2009/1865

Mailing List vendor-advisory x_refsource_apple

http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html

Third Party Advisory x_refsource_confirm

http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0042

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00001.html

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/34138

Patch, Vendor Advisory x_refsource_confirm

http://curl.haxx.se/docs/adv_20090303.html

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/34202

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/501757/100/0/threaded

Patch, Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2009/0581

Vendor Advisory vendor-advisory x_refsource_slackware

http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.476602

Various Sources mailing-list x_refsource_mlist

http://lists.vmware.com/pipermail/security-announce/2009/000060.html

Exploit, Patch vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/33962

Vendor Advisory x_refsource_confirm

http://support.apple.com/kb/HT4077

Various Sources x_refsource_misc

http://www.withdk.com/archives/Libcurl_arbitrary_file_access.pdf

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11054

Third Party Advisory vendor-advisory x_refsource_gentoo

http://security.gentoo.org/glsa/glsa-200903-21.xml

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6074

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id?1021783

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/34251

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/34399

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/504849/100/0/threaded

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/34237

Vendor Advisory x_refsource_confirm

http://www.vmware.com/security/advisories/VMSA-2009-0009.html

Scores

EPSS 0.0781

EPSS Percentile 93.9%

Details

CWE

CWE-352

Status published

Products (50)

curl/curl 5.11

curl/curl 6.0

curl/curl 6.1beta

curl/curl 6.2

curl/curl 6.3

curl/curl 6.3.1

curl/curl 6.4

curl/curl 6.5

curl/curl 6.5.1

curl/curl 6.5.2

... and 40 more

Published Mar 05, 2009

Tracked Since Feb 18, 2026