Out of bounds read for cookie path_CVE-2025-9086

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

1. A cookie is set using the `secure` keyword for `https://target`
2. curl is redirected to or otherwise made to speak with `http://target` (same
hostname, but using clear text HTTP) using the same cookie set
3. The same cookie name is set - but with just a slash as path (`path='/'`).
Since this site is not secure, the cookie *should* just be ignored.
4. A bug in the path comparison logic makes curl read outside a heap buffer
boundary

The bug either causes a crash or it potentially makes the comparison come to
the wrong conclusion and lets the clear-text site override the contents of the
secure cookie, contrary to expectations and depending on the memory contents
immediately following the single-byte allocation that holds the path.

The presumed and correct behavior would be to plainly ignore the second set of
the cookie since it was already set as secure on a secure host so overriding
it on an insecure host should not be okay.

Basic Information

ID CVE-2025-9086

Source curl

Published Sep 12, 2025 at 05:10

Modified Sep 12, 2025 at 17:16

Affected Product

Vendor curl

Product curl

Version 8.15.0

Affected Versions curl curl 8.15.0
curl curl 8.14.1
curl curl 8.14.0
curl curl 8.13.0
curl curl 8.12.1
curl curl 8.12.0
curl curl 8.11.1
curl curl 8.11.0
curl curl 8.10.1
curl curl 8.10.0
curl curl 8.9.1
curl curl 8.9.0
curl curl 8.8.0
curl curl 8.7.1
curl curl 8.7.0
curl curl 8.6.0
curl curl 8.5.0
curl curl 8.4.0
curl curl 8.3.0
curl curl 8.2.1
curl curl 8.2.0
curl curl 8.1.2
curl curl 8.1.1
curl curl 8.1.0
curl curl 8.0.1
curl curl 8.0.0
curl curl 7.88.1
curl curl 7.88.0
curl curl 7.87.0
curl curl 7.86.0
curl curl 7.85.0
curl curl 7.84.0
curl curl 7.83.1
curl curl 7.83.0
curl curl 7.82.0
curl curl 7.81.0
curl curl 7.80.0
curl curl 7.79.1
curl curl 7.79.0
curl curl 7.78.0
curl curl 7.77.0
curl curl 7.76.1
curl curl 7.76.0
curl curl 7.75.0
curl curl 7.74.0
curl curl 7.73.0
curl curl 7.72.0
curl curl 7.71.1
curl curl 7.71.0
curl curl 7.70.0
curl curl 7.69.1
curl curl 7.69.0
curl curl 7.68.0
curl curl 7.67.0
curl curl 7.66.0
curl curl 7.65.3
curl curl 7.65.2
curl curl 7.65.1
curl curl 7.65.0
curl curl 7.64.1
curl curl 7.64.0
curl curl 7.63.0
curl curl 7.62.0
curl curl 7.61.1
curl curl 7.61.0
curl curl 7.60.0
curl curl 7.59.0
curl curl 7.58.0
curl curl 7.57.0
curl curl 7.56.1
curl curl 7.56.0
curl curl 7.55.1
curl curl 7.55.0
curl curl 7.54.1
curl curl 7.54.0
curl curl 7.53.1
curl curl 7.53.0
curl curl 7.52.1
curl curl 7.52.0
curl curl 7.51.0
curl curl 7.50.3
curl curl 7.50.2
curl curl 7.50.1
curl curl 7.50.0
curl curl 7.49.1
curl curl 7.49.0
curl curl 7.48.0
curl curl 7.47.1
curl curl 7.47.0
curl curl 7.46.0
curl curl 7.45.0
curl curl 7.44.0
curl curl 7.43.0
curl curl 7.42.1
curl curl 7.42.0
curl curl 7.41.0
curl curl 7.40.0
curl curl 7.39.0
curl curl 7.38.0
curl curl 7.37.1
curl curl 7.37.0
curl curl 7.36.0
curl curl 7.35.0
curl curl 7.34.0
curl curl 7.33.0
curl curl 7.32.0
curl curl 7.31.0

References

{
    "lastseen": "",
    "description": "1. A cookie is set using the `secure` keyword for `https://target`\n2. curl is redirected to or otherwise made to speak with `http://target` (same\n   hostname, but using clear text HTTP) using the same cookie set\n3. The same cookie name is set - but with just a slash as path (`path='/'`).\n   Since this site is not secure, the cookie *should* just be ignored.\n4. A bug in the path comparison logic makes curl read outside a heap buffer\n   boundary\n\nThe bug either causes a crash or it potentially makes the comparison come to\nthe wrong conclusion and lets the clear-text site override the contents of the\nsecure cookie, contrary to expectations and depending on the memory contents\nimmediately following the single-byte allocation that holds the path.\n\nThe presumed and correct behavior would be to plainly ignore the second set of\nthe cookie since it was already set as secure on a secure host so overriding\nit on an insecure host should not be okay.",
    "published": "2025-09-12T05:10:03.815Z",
    "modified": "2025-09-12T17:16:20.317Z",
    "type": "cve",
    "title": "Out of bounds read for cookie path",
    "source": "curl",
    "references": "https://curl.se/docs/CVE-2025-9086.json\nhttps://curl.se/docs/CVE-2025-9086.html\nhttps://hackerone.com/reports/3294999",
    "id": "CVE-2025-9086",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "curl curl 8.15.0\ncurl curl 8.14.1\ncurl curl 8.14.0\ncurl curl 8.13.0\ncurl curl 8.12.1\ncurl curl 8.12.0\ncurl curl 8.11.1\ncurl curl 8.11.0\ncurl curl 8.10.1\ncurl curl 8.10.0\ncurl curl 8.9.1\ncurl curl 8.9.0\ncurl curl 8.8.0\ncurl curl 8.7.1\ncurl curl 8.7.0\ncurl curl 8.6.0\ncurl curl 8.5.0\ncurl curl 8.4.0\ncurl curl 8.3.0\ncurl curl 8.2.1\ncurl curl 8.2.0\ncurl curl 8.1.2\ncurl curl 8.1.1\ncurl curl 8.1.0\ncurl curl 8.0.1\ncurl curl 8.0.0\ncurl curl 7.88.1\ncurl curl 7.88.0\ncurl curl 7.87.0\ncurl curl 7.86.0\ncurl curl 7.85.0\ncurl curl 7.84.0\ncurl curl 7.83.1\ncurl curl 7.83.0\ncurl curl 7.82.0\ncurl curl 7.81.0\ncurl curl 7.80.0\ncurl curl 7.79.1\ncurl curl 7.79.0\ncurl curl 7.78.0\ncurl curl 7.77.0\ncurl curl 7.76.1\ncurl curl 7.76.0\ncurl curl 7.75.0\ncurl curl 7.74.0\ncurl curl 7.73.0\ncurl curl 7.72.0\ncurl curl 7.71.1\ncurl curl 7.71.0\ncurl curl 7.70.0\ncurl curl 7.69.1\ncurl curl 7.69.0\ncurl curl 7.68.0\ncurl curl 7.67.0\ncurl curl 7.66.0\ncurl curl 7.65.3\ncurl curl 7.65.2\ncurl curl 7.65.1\ncurl curl 7.65.0\ncurl curl 7.64.1\ncurl curl 7.64.0\ncurl curl 7.63.0\ncurl curl 7.62.0\ncurl curl 7.61.1\ncurl curl 7.61.0\ncurl curl 7.60.0\ncurl curl 7.59.0\ncurl curl 7.58.0\ncurl curl 7.57.0\ncurl curl 7.56.1\ncurl curl 7.56.0\ncurl curl 7.55.1\ncurl curl 7.55.0\ncurl curl 7.54.1\ncurl curl 7.54.0\ncurl curl 7.53.1\ncurl curl 7.53.0\ncurl curl 7.52.1\ncurl curl 7.52.0\ncurl curl 7.51.0\ncurl curl 7.50.3\ncurl curl 7.50.2\ncurl curl 7.50.1\ncurl curl 7.50.0\ncurl curl 7.49.1\ncurl curl 7.49.0\ncurl curl 7.48.0\ncurl curl 7.47.1\ncurl curl 7.47.0\ncurl curl 7.46.0\ncurl curl 7.45.0\ncurl curl 7.44.0\ncurl curl 7.43.0\ncurl curl 7.42.1\ncurl curl 7.42.0\ncurl curl 7.41.0\ncurl curl 7.40.0\ncurl curl 7.39.0\ncurl curl 7.38.0\ncurl curl 7.37.1\ncurl curl 7.37.0\ncurl curl 7.36.0\ncurl curl 7.35.0\ncurl curl 7.34.0\ncurl curl 7.33.0\ncurl curl 7.32.0\ncurl curl 7.31.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "curl",
    "version": "8.15.0",
    "vendor": "curl",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply