CURL-CVE-2025-9086
- Source
- https://curl.se/docs/CVE-2025-9086.html
- Import Source
- https://curl.se/docs/CURL-CVE-2025-9086.json
- JSON Data
- https://api.osv.dev/v1/vulns/CURL-CVE-2025-9086
- Aliases
- Published
- 2025-09-10T08:00:00Z
- Modified
- 2026-01-06T09:06:08.915067Z
- Summary
- Out of bounds read for cookie path
- Details
-
- A cookie is set using the
securekeyword forhttps://target - curl is redirected to or otherwise made to speak with
http://target(same hostname, but using clear text HTTP) using the same cookie set - The same cookie name is set - but with just a slash as path (
path="/"). Since this site is not secure, the cookie should just be ignored. - A bug in the path comparison logic makes curl read outside a heap buffer boundary
The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path.
The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.
- A cookie is set using the
- Database specific
{ "CWE": { "id": "CWE-125", "desc": "Out-of-bounds Read" }, "www": "https://curl.se/docs/CVE-2025-9086.html", "severity": "Low", "URL": "https://curl.se/docs/CVE-2025-9086.json", "issue": "https://hackerone.com/reports/3294999", "affects": "lib", "award": { "currency": "USD", "amount": "505" }, "package": "curl", "last_affected": "8.15.0" }- References
-
- Credits
-
-
- Google Big Sleep - FINDER
-
- Daniel Stenberg - REMEDIATION_DEVELOPER
-
Affected packages
Git / github.com/curl/curl.git
Affected ranges
- Type
- SEMVER
- Events
-
Introduced8.13.0Fixed8.16.0
- Type
- GIT
- Repo
- https://github.com/curl/curl.git
- Events
Database specific
source
"https://curl.se/docs/CURL-CVE-2025-9086.json"
vanir_signatures
[
{
"deprecated": false,
"id": "CURL-CVE-2025-9086-2ce4e7e1",
"digest": {
"length": 1784.0,
"function_hash": "165902635522532233032557057269934243979"
},
"source": "https://github.com/curl/curl.git/commit/c6ae07c6a541e0e96d0040afb62b45dd37711300",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "lib/cookie.c",
"function": "replace_existing"
}
},
{
"deprecated": false,
"id": "CURL-CVE-2025-9086-6c20969f",
"digest": {
"length": 322.0,
"function_hash": "179049927262469336932167202840771014604"
},
"source": "https://github.com/curl/curl.git/commit/c6ae07c6a541e0e96d0040afb62b45dd37711300",
"signature_version": "v1",
"signature_type": "Function",
"target": {
"file": "lib/cookie.c",
"function": "sanitize_cookie_path"
}
},
{
"deprecated": false,
"id": "CURL-CVE-2025-9086-c5a4a9ab",
"digest": {
"threshold": 0.9,
"line_hashes": [
"314730481499983113609492170489629066758",
"97889432682566702809081681306452823952",
"186720809114596896195841790260773946686",
"333994858511398020049490665140562940015",
"120410423370335933348745655926364574808",
"132789178882440746894753449605196926327",
"144893248242839835308371152775449701347",
"273384927473139849547348528647818722765",
"141735703432496355136970257966860936664"
]
},
"source": "https://github.com/curl/curl.git/commit/c6ae07c6a541e0e96d0040afb62b45dd37711300",
"signature_version": "v1",
"signature_type": "Line",
"target": {
"file": "lib/cookie.c"
}
}
]