@bagder No, there's a flaw there. It's just not in curl, it's in users.
It's a whole new level of threat, one that comes from an attacker that can social engineer users into doing harm without itself being malicious or even sentient.
Can we CVE users?