CURL-CVE-2025-9086

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2025-9086.html

Import Source

https://curl.se/docs/CURL-CVE-2025-9086.json

JSON Data

https://api.test.osv.dev/v1/vulns/CURL-CVE-2025-9086

Aliases

CVE-2025-9086

Published

2025-09-10T08:00:00Z

Modified

2025-09-10T07:45:33Z

Summary

Out of bounds read for cookie path

Details

A cookie is set using the secure keyword for https://target
curl is redirected to or otherwise made to speak with http://target (same hostname, but using clear text HTTP) using the same cookie set
The same cookie name is set - but with just a slash as path (path="/"). Since this site is not secure, the cookie should just be ignored.
A bug in the path comparison logic makes curl read outside a heap buffer boundary

The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path.

The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.

Database specific

{
    "package": "curl",
    "issue": "https://hackerone.com/reports/3294999",
    "URL": "https://curl.se/docs/CVE-2025-9086.json",
    "CWE": {
        "desc": "Out-of-bounds Read",
        "id": "CWE-125"
    },
    "award": {
        "currency": "USD",
        "amount": "505"
    },
    "severity": "Low",
    "last_affected": "8.15.0",
    "affects": "lib",
    "www": "https://curl.se/docs/CVE-2025-9086.html"
}

References

Credits

- Google Big Sleep - FINDER
- Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

7.31.0

Fixed

8.16.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

f24dc09d209a2f91ca38d854f0c15ad93f3d7e2d

Fixed

c6ae07c6a541e0e96d0040afb62b45dd37711300

Affected versions

7.*

7.31.0

7.32.0

7.33.0

7.34.0

7.35.0

7.36.0

7.37.0

7.37.1

7.38.0

7.39.0

7.40.0

7.41.0

7.42.0

7.42.1

7.43.0

7.44.0

7.45.0

7.46.0

7.47.0

7.47.1

7.48.0

7.49.0

7.49.1

7.50.0

7.50.1

7.50.2

7.50.3

7.51.0

7.52.0

7.52.1

7.53.0

7.53.1

7.54.0

7.54.1

7.55.0

7.55.1

7.56.0

7.56.1

7.57.0

7.58.0

7.59.0

7.60.0

7.61.0

7.61.1

7.62.0

7.63.0

7.64.0

7.64.1

7.65.0

7.65.1

7.65.2

7.65.3

7.66.0

7.67.0

7.68.0

7.69.0

7.69.1

7.70.0

7.71.0

7.71.1

7.72.0

7.73.0

7.74.0

7.75.0

7.76.0

7.76.1

7.77.0

7.78.0

7.79.0

7.79.1

7.80.0

7.81.0

7.82.0

7.83.0

7.83.1

7.84.0

7.85.0

7.86.0

7.87.0

7.88.0

7.88.1

8.*

8.0.0

8.0.1

8.1.0

8.1.1

8.1.2

8.10.0

8.10.1

8.11.0

8.11.1

8.12.0

8.12.1

8.13.0

8.14.0

8.14.1

8.15.0

8.2.0

8.2.1

8.3.0

8.4.0

8.5.0

8.6.0

8.7.0

8.7.1

8.8.0

8.9.0

8.9.1

Database specific

{
    "vanir_signatures": [
        {
            "target": {
                "file": "lib/cookie.c",
                "function": "replace_existing"
            },
            "digest": {
                "function_hash": "165902635522532233032557057269934243979",
                "length": 1784.0
            },
            "signature_type": "Function",
            "signature_version": "v1",
            "deprecated": false,
            "id": "CURL-CVE-2025-9086-2ce4e7e1",
            "source": "https://github.com/curl/curl.git/commit/c6ae07c6a541e0e96d0040afb62b45dd37711300"
        },
        {
            "target": {
                "file": "lib/cookie.c",
                "function": "sanitize_cookie_path"
            },
            "digest": {
                "function_hash": "179049927262469336932167202840771014604",
                "length": 322.0
            },
            "signature_type": "Function",
            "signature_version": "v1",
            "deprecated": false,
            "id": "CURL-CVE-2025-9086-6c20969f",
            "source": "https://github.com/curl/curl.git/commit/c6ae07c6a541e0e96d0040afb62b45dd37711300"
        },
        {
            "target": {
                "file": "lib/cookie.c"
            },
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "314730481499983113609492170489629066758",
                    "97889432682566702809081681306452823952",
                    "186720809114596896195841790260773946686",
                    "333994858511398020049490665140562940015",
                    "120410423370335933348745655926364574808",
                    "132789178882440746894753449605196926327",
                    "144893248242839835308371152775449701347",
                    "273384927473139849547348528647818722765",
                    "141735703432496355136970257966860936664"
                ]
            },
            "signature_type": "Line",
            "signature_version": "v1",
            "deprecated": false,
            "id": "CURL-CVE-2025-9086-c5a4a9ab",
            "source": "https://github.com/curl/curl.git/commit/c6ae07c6a541e0e96d0040afb62b45dd37711300"
        }
    ]
}