1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (`path='/'`). Since this site is not secure, the cookie *should* just be ignored. 4. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Vendors Products
Curl
  • Curl

No data.

No data.

References
Link Providers
https://curl.se/docs/CVE-2025-9086.html cve-icon cve-icon cve-icon
https://curl.se/docs/CVE-2025-9086.json cve-icon cve-icon cve-icon
https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6 cve-icon
https://hackerone.com/reports/3294999 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-9086 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-9086 cve-icon
History

Mon, 15 Sep 2025 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Curl
Curl curl
Vendors & Products Curl
Curl curl

Sat, 13 Sep 2025 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 12 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Sep 2025 05:30:00 +0000

Type Values Removed Values Added
Description 1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (`path='/'`). Since this site is not secure, the cookie *should* just be ignored. 4. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.
Title Out of bounds read for cookie path
References
cve-icon MITRE

Status: PUBLISHED

Assigner: curl

Published: 2025-09-12T05:10:03.815Z

Updated: 2025-09-12T17:16:20.317Z

Reserved: 2025-08-16T05:40:23.800Z

Link: CVE-2025-9086

cve-icon Vulnrichment

Updated: 2025-09-12T17:16:09.204Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-09-12T06:15:44.100

Modified: 2025-09-15T15:21:42.937

Link: CVE-2025-9086

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-09-12T05:10:03Z

Links: CVE-2025-9086 - Bugzilla