The vulnerability occurs when curl follows an HTTP redirect to the same hostname but a different port number, and it incorrectly sends authentication headers (like Authorization:) or Cookie: headers to the new port. The fix introduces a new function allow_auth_to_host which checks not only the hostname but also the port and protocol before allowing sensitive headers to be sent. The functions Curl_http_output_auth (for authentication headers) and Curl_add_custom_headers (for cookie headers) were modified to use this new stricter check. Therefore, these two functions were the ones that previously exhibited the vulnerable behavior by sending sensitive information under insecure redirect conditions.