A vulnerability in libcurl caused the HTTP Referer: header to persist even
when explicitly cleared. While the documentation states that passing NULL to
CURLOPT_REFERER suppresses the header, the option failed to clear the
internal state. As a result the previous referrer string was erroneously
reused and sent in subsequent requests, potentially leaking sensitive
information to unintended servers.