A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password.

Related CVEs

CVE-2016-8616

Key Information

GHSA ID

GHSA-22qv-x7vv-h86h

Published

May 13, 2022 1:38 AM

Last Modified

May 13, 2022 1:38 AM

CVSS Score

5.0 /10

Primary Ecosystem

Unknown

Primary Package

Unknown

GitHub Reviewed

✗ No

Dataset

Last updated: September 28, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.