It was found that curl and libcurl might send their Authentication header to a third party HTTP server upon receiving an HTTP REDIRECT reply. This could leak authentication token to external entities.
By default, curl and libcurl will not follow redirect requests.
This flaw happens only when curl or libcurl are explicitly requested to follow redirects (option --location in curl, and CURLOPT_FOLLOWLOCATION in libcurl).
To mitigate this, it is possible to prevent the automated following of redirects, replacing it by manual redirects (and remove the authentication header), for example.