curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.

Related CVEs

CVE-2016-8624

Key Information

GHSA ID

GHSA-6pj7-p5f2-4p6f

Published

May 13, 2022 1:09 AM

Last Modified

May 13, 2022 1:09 AM

CVSS Score

7.5 /10

Primary Ecosystem

Unknown

Primary Package

Unknown

GitHub Reviewed

✗ No

Dataset

Last updated: September 28, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.