CVE-2025-9086

CWE-125 — Out-of-bounds Read22 documents11 sources

Severity

7.5HIGH

EPSS

0.0%

top 85.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl Curl Curl Debian Debian Linux

Timeline

PublishedSep 12

Latest updateMar 3

Description

1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (`path=\"/\",`). Since this site is not secure, the cookie *should* just be ignored. 4. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶NVDhaxx/curl8.13.0 — 8.16.0

▶Alpinecurl< 8.14.1-r2+4

▶Debiancurl< 8.14.1-2+deb13u1+1

▶Ubuntucurl< 7.81.0-1ubuntu1.22+2

▶CVEListV5curl/curl8.15.0 — 8.15.0+3

Also affects: Debian Linux 11.0

Patches

Patch: curl.se ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

OSV

curl vulnerabilities↗2026-03-03

▶

OSV

curl vulnerabilities↗2026-02-25

▶

OSV

CVE-2025-9086: 1↗2025-09-12

▶

GHSA

GHSA-v676-f8gm-92r9: 1↗2025-09-12

▶

OSV

CVE-2025-9086: 1↗2025-09-12

▶

📋Vendor Advisories

Ubuntu

curl vulnerabilities↗2026-02-25

▶

Oracle

Oracle Oracle Commerce Risk Matrix: MDEX, Forge (curl) — CVE-2025-9086↗2026-01-15

▶

Apple

CVE-2025-9086: iOS 18.7.3 and iPadOS 18.7.3↗2025-12-12

▶

Apple

CVE-2025-9086: macOS Sequoia 15.7.3↗2025-12-12

▶

Apple

CVE-2025-9086: macOS Tahoe 26.2↗2025-12-12

▶

💬Community

HackerOne

CVE-2025-9086: Out of bounds read for cookie path↗2025-09-10

▶