CURL-CVE-2025-9086
- Source
- https://curl.se/docs/CVE-2025-9086.html
- Import Source
- https://curl.se/docs/CURL-CVE-2025-9086.json
- JSON Data
- https://api.osv.dev/v1/vulns/CURL-CVE-2025-9086
- Aliases
- Published
- 2025-09-10T08:00:00Z
- Modified
- 2026-05-19T09:30:10.038211150Z
- Summary
- Out of bounds read for cookie path
- Details
-
- A cookie is set using the
securekeyword forhttps://target - curl is redirected to or otherwise made to speak with
http://target(same hostname, but using clear text HTTP) using the same cookie set - The same cookie name is set - but with only a slash as path (
path="/"). Since this site is not secure, the cookie should be ignored. - A bug in the path comparison logic makes curl read outside a heap buffer boundary
The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path.
The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.
- A cookie is set using the
- Database specific
{ "award": { "amount": "505", "currency": "USD" }, "package": "curl", "issue": "https://hackerone.com/reports/3294999", "URL": "https://curl.se/docs/CVE-2025-9086.json", "last_affected": "8.15.0", "severity": "Low", "CWE": { "desc": "Out-of-bounds Read", "id": "CWE-125" }, "affects": "lib", "www": "https://curl.se/docs/CVE-2025-9086.html" }- References
-
- Credits
-
-
- Google Big Sleep - FINDER
-
- Daniel Stenberg - REMEDIATION_DEVELOPER
-