CVE-2025-9086
published 2025-09-12CVE-2025-9086: 1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but…
high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
1. A cookie is set using the `secure` keyword for `https://target`
2. curl is redirected to or otherwise made to speak with `http://target` (same
hostname, but using clear text HTTP) using the same cookie set
3. The same cookie name is set - but with just a slash as path (`path=\"/\",`).
Since this site is not secure, the cookie *should* just be ignored.
4. A bug in the path comparison logic makes curl read outside a heap buffer
boundary
The bug either causes a crash or it potentially makes the comparison come to
the wrong conclusion and lets the clear-text site override the contents of the
secure cookie, contrary to expectations and depending on the memory contents
immediately following the single-byte allocation that holds the path.
The presumed and correct behavior would be to plainly ignore the second set of
the cookie since it was already set as secure on a secure host so overriding
it on an insecure host should not be okay.
Affected
49 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios_18.7.3_and_ipados | — | — |
| apple | ios_26.2_and_ipados | — | — |
| apple | macos_sequoia | — | — |
| apple | macos_sonoma | — | — |
| apple | macos_tahoe | — | — |
| apple | tvos | — | — |
| apple | visionos | — | — |
| apple | watchos | — | — |
| curl | curl | 8.13.0 – 8.13.0 | — |
| curl | curl | 8.14.0 – 8.14.0 | — |
| curl | curl | 8.14.1 – 8.14.1 | — |
| curl | curl | 8.15.0 – 8.15.0 | — |
| debian | curl | < curl 8.16.0~rc2-1 (forky) | curl 8.16.0~rc2-1 (forky) |
| debian | debian_linux | — | — |
| haxx | curl | >= 0 < 8.14.1-r2 | 8.14.1-r2 |
| haxx | curl | >= 0 < 8.14.1-r2 | 8.14.1-r2 |
| haxx | curl | >= 0 < 8.14.1-r2 | 8.14.1-r2 |
| haxx | curl | >= 0 < 8.14.1-r2 | 8.14.1-r2 |
| haxx | curl | >= 0 < 8.16.0-r0 | 8.16.0-r0 |
| haxx | curl | >= 0 < 8.14.1-2+deb13u1 | 8.14.1-2+deb13u1 |
| haxx | curl | >= 0 < 8.16.0~rc2-1 | 8.16.0~rc2-1 |
| haxx | curl | >= 0 < 7.81.0-1ubuntu1.22 | 7.81.0-1ubuntu1.22 |
| haxx | curl | >= 0 < 8.5.0-2ubuntu10.7 | 8.5.0-2ubuntu10.7 |
| haxx | curl | >= 0 < 8.14.1-2ubuntu1.1 | 8.14.1-2ubuntu1.1 |
| haxx | curl | >= 0 < 7.35.0-1ubuntu2.20+esm19 | 7.35.0-1ubuntu2.20+esm19 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH