CVE-2025-9086 - Vulnerability Details

1. A cookie is set using the `secure` keyword for `https://target`
2. curl is redirected to or otherwise made to speak with `http://target` (same
hostname, but using clear text HTTP) using the same cookie set
3. The same cookie name is set - but with just a slash as path (`path='/'`).
Since this site is not secure, the cookie *should* just be ignored.
4. A bug in the path comparison logic makes curl read outside a heap buffer
boundary

The bug either causes a crash or it potentially makes the comparison come to
the wrong conclusion and lets the clear-text site override the contents of the
secure cookie, contrary to expectations and depending on the memory contents
immediately following the single-byte allocation that holds the path.

The presumed and correct behavior would be to plainly ignore the second set of
the cookie since it was already set as secure on a secure host so overriding
it on an insecure host should not be okay.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00077.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Curl	Curl

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Curl	Curl

Advisories

Source	ID	Title
EUVD	EUVD-2025-29014	1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (`path='/'`). Since this site is not secure, the cookie should just be ignored. 4. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://curl.se/docs/CVE-2025-9086.html
https://curl.se/docs/CVE-2025-9086.json
https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6
https://hackerone.com/reports/3294999
https://nvd.nist.gov/vuln/detail/CVE-2025-9086
https://www.cve.org/CVERecord?id=CVE-2025-9086

History

Mon, 15 Sep 2025 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Curl Curl curl
Vendors & Products		Curl Curl curl

Sat, 13 Sep 2025 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-125
References		https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6 https://nvd.nist.gov/vuln/detail/CVE-2025-9086 https://www.cve.org/CVERecord?id=CVE-2025-9086
Metrics	threat_severity `None`	threat_severity `Moderate`

Fri, 12 Sep 2025 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 12 Sep 2025 05:30:00 +0000

Type	Values Removed	Values Added
Description		1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (`path='/'`). Since this site is not secure, the cookie should just be ignored. 4. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.
Title		Out of bounds read for cookie path
References		https://curl.se/docs/CVE-2025-9086.html https://curl.se/docs/CVE-2025-9086.json https://hackerone.com/reports/3294999

MITRE

Status: PUBLISHED

Assigner: curl

Published: 2025-09-12T05:10:03.815Z

Updated: 2025-09-12T17:16:20.317Z

Reserved: 2025-08-16T05:40:23.800Z

Link: CVE-2025-9086

Vulnrichment

Updated: 2025-09-12T17:16:09.204Z

NVD

Status : Awaiting Analysis

Published: 2025-09-12T06:15:44.100

Modified: 2025-09-15T15:21:42.937

Link: CVE-2025-9086

Redhat

Severity : Moderate

Publid Date: 2025-09-12T05:10:03Z

Links: CVE-2025-9086 - Bugzilla

OpenCVE Enrichment

Updated: 2025-09-15T10:43:59Z

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object