CURLOPT_UNRESTRICTED_AUTH Dangerous Default Documentation Gap

## Summary: CURLOPT_UNRESTRICTED_AUTH=1 instructs libcurl to send credentials to ALL hosts during redirect chains, 'possibly again and again as the following hosts can keep redirecting to new hosts.' The documentation explicitly warns this is dangerous, but the default behavior is also risky: curl only protects Authorization and Cookie headers by default — ANY other custom header (including custom auth headers like X-API-Key, X-Auth-Token) is forwarded to ALL redirect destinations with NO protection at all. This is confirmed in the source docs: 'for all other headers than the two mentioned above, there is no protection from this happening when libcurl is told to follow redirects. ## Affected version All versions (by design) docs/libcurl/opts/CURLOPT_UNRESTRICTED_AUTH.md + lib/http.c ## Steps To Reproduce: Step 1 — Save the PoC file Save poc_unrestricted_auth.py to your machine. Step 2 — Run it bashpython3 poc_unrestricted_auth.py --vector 1 ``` --- ### Step 3 — Watch the output You'll see two servers start — an **origin** and an **attacker**. curl sends your headers to the origin, which redirects to the attacker. Look for this section: ``` [LEAKED] X-API-Key: sk-prod-a1b2c3d4e5f6g7h8i9j0 [LEAKED] X-Auth-Token: eyJhbGciOiJIUzI1NiJ9... [LEAKED] X-Service-Token: svc-internal-9f8e7d6c5b4a3 [STRIPPED] Authorization ← curl correctly stripped this [STRIPPED] Cookie ← curl correctly stripped this Step 4 — That's the bug Authorization and Cookie were stripped by curl. Your X-API-Key, X-Auth-Token, and every other custom header went straight to the attacker's server. ## Impact ## impact: Applications that set custom authorization headers (X-API-Key, X-Auth-Token, X-Service-Token, etc.) via CURLOPT_HTTPHEADER and also enable CURLOPT_FOLLOWLOCATION unknowingly leak those credentials to any redirect destination. No CVE will be assigned — it is by design — but it affects a very wide range of real applications ##Recommended: Do not combine CURLOPT_FOLLOWLOCATION with custom authentication headers. Implement redirect handling manually: disable FOLLOWLOCATION, check CURLINFO_REDIRECT_URL, strip custom auth headers, then re-issue the request. Document this risk explicitly in application-level security reviews.