{"id":"CVE-2025-9086","details":"1. A cookie is set using the `secure` keyword for `https://target` \n 2. curl is redirected to or otherwise made to speak with `http://target` (same \n   hostname, but using clear text HTTP) using the same cookie set \n 3. The same cookie name is set - but with just a slash as path (`path=\\\"/\\\",`).\n   Since this site is not secure, the cookie *should* just be ignored.\n4. A bug in the path comparison logic makes curl read outside a heap buffer\n   boundary\n\nThe bug either causes a crash or it potentially makes the comparison come to\nthe wrong conclusion and lets the clear-text site override the contents of the\nsecure cookie, contrary to expectations and depending on the memory contents\nimmediately following the single-byte allocation that holds the path.\n\nThe presumed and correct behavior would be to plainly ignore the second set of\nthe cookie since it was already set as secure on a secure host so overriding\nit on an insecure host should not be okay.","aliases":["CURL-CVE-2025-9086"],"modified":"2026-03-20T04:23:15.040470Z","published":"2025-09-12T06:15:44.100Z","related":["ALSA-2025:23383","ALSA-2026:1350","ALSA-2026:1825","MGASA-2025-0232","SUSE-SU-2025:03173-1","SUSE-SU-2025:03198-1","SUSE-SU-2025:03267-1","SUSE-SU-2025:03268-1","SUSE-SU-2025:20802-1","SUSE-SU-2025:20824-1","SUSE-SU-2025:21077-1","SUSE-SU-2025:21145-1","openSUSE-SU-2025:15590-1","openSUSE-SU-2025:20090-1"],"references":[{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2026/01/msg00002.html"},{"type":"ADVISORY","url":"https://curl.se/docs/CVE-2025-9086.json"},{"type":"REPORT","url":"https://hackerone.com/reports/3294999"},{"type":"FIX","url":"http://www.openwall.com/lists/oss-security/2025/09/10/1"},{"type":"FIX","url":"https://curl.se/docs/CVE-2025-9086.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/curl/curl","events":[{"introduced":"1c3149881769e7bd79b072e48374e4c2b3678b2f"},{"fixed":"11b991232fbcaa88e2b1faecac224416b0001e35"}],"database_specific":{"versions":[{"introduced":"8.13.0"},{"fixed":"8.16.0"}]}}],"versions":["curl-8_13_0","curl-8_14_0","curl-8_14_1","curl-8_15_0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"11.0"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-9086.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}