diff --git a/lib/http.c b/lib/http.c
index 74422c58e6bb85d36c8f46cc4fbbf2a6554b5c2a..bd6adf96491558d65e8846ff54e7b33a38b1615c 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -144,7 +144,7 @@ static CURLcode Curl_output_basic(struct connectdata *conn, bool proxy)
     pwd = conn->passwd;
   }
 
-  sprintf(data->state.buffer, "%s:%s", user, pwd);
+  snprintf(data->state.buffer, sizeof(data->state.buffer), "%s:%s", user, pwd);
   if(Curl_base64_encode(data->state.buffer,
                         strlen(data->state.buffer),
                         &authorization) > 0) {