CVE-2025-9086

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-9086
1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (`path=\"/\",`). Since this site is not secure, the cookie *should* just be ignored. 4. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://curl.se/docs/CVE-2025-9086.html
https://curl.se/docs/CVE-2025-9086.json
https://hackerone.com/reports/3294999
http://www.openwall.com/lists/oss-security/2025/09/10/1
https://lists.debian.org/debian-lts-announce/2026/01/msg00002.html
Configurations

No configuration.

History

08 Jan 2026, 10:15

Type Values Removed Values Added
Summary (en) 1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (`path='/'`). Since this site is not secure, the cookie *should* just be ignored. 4. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay. (en) 1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (`path=\"/\",`). Since this site is not secure, the cookie *should* just be ignored. 4. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.

05 Jan 2026, 03:15

Type Values Removed Values Added
References
  • () https://lists.debian.org/debian-lts-announce/2026/01/msg00002.html -

04 Nov 2025, 22:16

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2025/09/10/1 -

12 Sep 2025, 18:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.5

12 Sep 2025, 06:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-09-12 06:15

Updated : 2026-01-08 10:15

NVD link : CVE-2025-9086

Mitre link : CVE-2025-9086

CVE.ORG link : CVE-2025-9086

JSON object : View

Products Affected

No product.

CWE

No CWE.