{"id":"CURL-CVE-2025-9086","summary":"Out of bounds read for cookie path","details":"1. A cookie is set using the `secure` keyword for `https://target`\n2. curl is redirected to or otherwise made to speak with `http://target` (same\n   hostname, but using clear text HTTP) using the same cookie set\n3. The same cookie name is set - but with just a slash as path (`path=\"/\"`).\n   Since this site is not secure, the cookie *should* just be ignored.\n4. A bug in the path comparison logic makes curl read outside a heap buffer\n   boundary\n\nThe bug either causes a crash or it potentially makes the comparison come to\nthe wrong conclusion and lets the clear-text site override the contents of the\nsecure cookie, contrary to expectations and depending on the memory contents\nimmediately following the single-byte allocation that holds the path.\n\nThe presumed and correct behavior would be to plainly ignore the second set of\nthe cookie since it was already set as secure on a secure host so overriding\nit on an insecure host should not be okay.","aliases":["CVE-2025-9086"],"modified":"2026-01-06T09:15:41.030274Z","published":"2025-09-10T08:00:00Z","database_specific":{"last_affected":"8.15.0","URL":"https://curl.se/docs/CVE-2025-9086.json","severity":"Low","award":{"amount":"505","currency":"USD"},"issue":"https://hackerone.com/reports/3294999","affects":"lib","package":"curl","CWE":{"id":"CWE-125","desc":"Out-of-bounds Read"},"www":"https://curl.se/docs/CVE-2025-9086.html"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"8.13.0"},{"fixed":"8.16.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"1aea05a6c2699e80c75936d58569851555acd603"},{"fixed":"c6ae07c6a541e0e96d0040afb62b45dd37711300"}]}],"versions":["8.15.0","8.14.1","8.14.0","8.13.0"],"database_specific":{"vanir_signatures":[{"id":"CURL-CVE-2025-9086-2ce4e7e1","source":"https://github.com/curl/curl.git/commit/c6ae07c6a541e0e96d0040afb62b45dd37711300","digest":{"length":1784,"function_hash":"165902635522532233032557057269934243979"},"target":{"function":"replace_existing","file":"lib/cookie.c"},"signature_version":"v1","signature_type":"Function","deprecated":false},{"id":"CURL-CVE-2025-9086-6c20969f","source":"https://github.com/curl/curl.git/commit/c6ae07c6a541e0e96d0040afb62b45dd37711300","digest":{"length":322,"function_hash":"179049927262469336932167202840771014604"},"target":{"function":"sanitize_cookie_path","file":"lib/cookie.c"},"signature_version":"v1","signature_type":"Function","deprecated":false},{"id":"CURL-CVE-2025-9086-c5a4a9ab","source":"https://github.com/curl/curl.git/commit/c6ae07c6a541e0e96d0040afb62b45dd37711300","digest":{"line_hashes":["314730481499983113609492170489629066758","97889432682566702809081681306452823952","186720809114596896195841790260773946686","333994858511398020049490665140562940015","120410423370335933348745655926364574808","132789178882440746894753449605196926327","144893248242839835308371152775449701347","273384927473139849547348528647818722765","141735703432496355136970257966860936664"],"threshold":0.9},"target":{"file":"lib/cookie.c"},"signature_version":"v1","signature_type":"Line","deprecated":false}],"source":"https://curl.se/docs/CURL-CVE-2025-9086.json"}}],"schema_version":"1.7.3","credits":[{"name":"Google Big Sleep","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}