{"id":"CURL-CVE-2025-9086","summary":"Out of bounds read for cookie path","details":"1. A cookie is set using the `secure` keyword for `https://target`\n2. curl is redirected to or otherwise made to speak with `http://target` (same\n   hostname, but using clear text HTTP) using the same cookie set\n3. The same cookie name is set - but with just a slash as path (`path=\"/\"`).\n   Since this site is not secure, the cookie *should* just be ignored.\n4. A bug in the path comparison logic makes curl read outside a heap buffer\n   boundary\n\nThe bug either causes a crash or it potentially makes the comparison come to\nthe wrong conclusion and lets the clear-text site override the contents of the\nsecure cookie, contrary to expectations and depending on the memory contents\nimmediately following the single-byte allocation that holds the path.\n\nThe presumed and correct behavior would be to plainly ignore the second set of\nthe cookie since it was already set as secure on a secure host so overriding\nit on an insecure host should not be okay.","aliases":["CVE-2025-9086"],"modified":"2026-04-25T20:22:34.043314Z","published":"2025-09-10T08:00:00Z","database_specific":{"award":{"currency":"USD","amount":"505"},"last_affected":"8.15.0","severity":"Low","affects":"lib","package":"curl","www":"https://curl.se/docs/CVE-2025-9086.html","issue":"https://hackerone.com/reports/3294999","URL":"https://curl.se/docs/CVE-2025-9086.json","CWE":{"desc":"Out-of-bounds Read","id":"CWE-125"}},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"8.13.0"},{"fixed":"8.16.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"1aea05a6c2699e80c75936d58569851555acd603"},{"fixed":"c6ae07c6a541e0e96d0040afb62b45dd37711300"}]}],"versions":["8.15.0","8.14.1","8.14.0","8.13.0"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2025-9086.json","vanir_signatures":[{"signature_version":"v1","deprecated":false,"digest":{"function_hash":"165902635522532233032557057269934243979","length":1784},"source":"https://github.com/curl/curl.git/commit/c6ae07c6a541e0e96d0040afb62b45dd37711300","id":"CURL-CVE-2025-9086-2ce4e7e1","signature_type":"Function","target":{"file":"lib/cookie.c","function":"replace_existing"}},{"signature_version":"v1","deprecated":false,"digest":{"function_hash":"179049927262469336932167202840771014604","length":322},"source":"https://github.com/curl/curl.git/commit/c6ae07c6a541e0e96d0040afb62b45dd37711300","id":"CURL-CVE-2025-9086-6c20969f","signature_type":"Function","target":{"file":"lib/cookie.c","function":"sanitize_cookie_path"}},{"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["314730481499983113609492170489629066758","97889432682566702809081681306452823952","186720809114596896195841790260773946686","333994858511398020049490665140562940015","120410423370335933348745655926364574808","132789178882440746894753449605196926327","144893248242839835308371152775449701347","273384927473139849547348528647818722765","141735703432496355136970257966860936664"],"threshold":0.9},"source":"https://github.com/curl/curl.git/commit/c6ae07c6a541e0e96d0040afb62b45dd37711300","id":"CURL-CVE-2025-9086-c5a4a9ab","signature_type":"Line","target":{"file":"lib/cookie.c"}}],"vanir_signatures_modified":"2026-04-25T20:22:34Z"}}],"schema_version":"1.7.5","credits":[{"name":"Google Big Sleep","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}