CURL before 7.68.0 lacks proper input validation, which allows users to create a `FILE:` URL that can make the client access a remote file using SMB (Windows-only issue). Reference: https://www.openwall.com/lists/oss-security/2020/01/08/1 Upstream commit: https://github.com/curl/curl/commit/1b71bc532bde8621fd3260843f8197182a467ff2
As stated at https://www.openwall.com/lists/oss-security/2020/01/08/1 this issue affects only Windows. Closing this as NOTABUG.