This issue only affects the "curl" command line utility. Additionally, this is only an issue when using the "-J" and "-i" command line options combined. In most cases, there is nothing to gain for a local attacker here: the curl command line utility is likely running with the same privileges as the user, and thus the user can already overwrite all the files curl could overwrite. However, a local user will have to call curl with the "-J" and "-i" command line options while requesting content from a malicious server, which then opens up an opportunity for the malicious server to overwrite local files