{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9086", "assignerOrgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "state": "PUBLISHED", "assignerShortName": "curl", "dateReserved": "2025-08-16T05:40:23.800Z", "datePublished": "2025-09-12T05:10:03.815Z", "dateUpdated": "2026-01-08T09:51:46.552Z"}, "containers": {"cna": {"title": "Out of bounds read for cookie path", "descriptions": [{"lang": "en", "value": "1. A cookie is set using the `secure` keyword for `https://target` \n 2. curl is redirected to or otherwise made to speak with `http://target` (same \n hostname, but using clear text HTTP) using the same cookie set \n 3. The same cookie name is set - but with just a slash as path (`path=\\\"/\\\",`).\n Since this site is not secure, the cookie *should* just be ignored.\n4. A bug in the path comparison logic makes curl read outside a heap buffer\n boundary\n\nThe bug either causes a crash or it potentially makes the comparison come to\nthe wrong conclusion and lets the clear-text site override the contents of the\nsecure cookie, contrary to expectations and depending on the memory contents\nimmediately following the single-byte allocation that holds the path.\n\nThe presumed and correct behavior would be to plainly ignore the second set of\nthe cookie since it was already set as secure on a secure host so overriding\nit on an insecure host should not be okay."}], "providerMetadata": {"orgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "shortName": "curl", "dateUpdated": "2026-01-08T09:51:46.552Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-125 Out-of-bounds Read"}]}], "affected": [{"vendor": "curl", "product": "curl", "versions": [{"version": "8.15.0", "status": "affected", "lessThanOrEqual": "8.15.0", "versionType": "semver"}, {"version": "8.14.1", "status": "affected", "lessThanOrEqual": "8.14.1", "versionType": "semver"}, {"version": "8.14.0", "status": "affected", "lessThanOrEqual": "8.14.0", "versionType": "semver"}, {"version": "8.13.0", "status": "affected", "lessThanOrEqual": "8.13.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://curl.se/docs/CVE-2025-9086.json", "name": "json"}, {"url": "https://curl.se/docs/CVE-2025-9086.html", "name": "www"}, {"url": "https://hackerone.com/reports/3294999", "name": "issue"}], "credits": [{"lang": "en", "value": "Google Big Sleep", "type": "finder"}, {"lang": "en", "value": "Daniel Stenberg", "type": "remediation developer"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-09-12T17:15:47.921625Z", "id": "CVE-2025-9086", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-12T17:16:20.317Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/09/10/1"}, {"url": "https://lists.debian.org/debian-lts-announce/2026/01/msg00002.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-01-05T02:47:38.406Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/09/10/1"}, {"url": "https://lists.debian.org/debian-lts-announce/2026/01/msg00002.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-01-05T02:47:38.406Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-9086", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-12T17:15:47.921625Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-12T17:16:09.204Z"}}], "cna": {"title": "Out of bounds read for cookie path", "credits": [{"lang": "en", "type": "finder", "value": "Google Big Sleep"}, {"lang": "en", "type": "remediation developer", "value": "Daniel Stenberg"}], "affected": [{"vendor": "curl", "product": "curl", "versions": [{"status": "affected", "version": "8.15.0", "versionType": "semver", "lessThanOrEqual": "8.15.0"}, {"status": "affected", "version": "8.14.1", "versionType": "semver", "lessThanOrEqual": "8.14.1"}, {"status": "affected", "version": "8.14.0", "versionType": "semver", "lessThanOrEqual": "8.14.0"}, {"status": "affected", "version": "8.13.0", "versionType": "semver", "lessThanOrEqual": "8.13.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://curl.se/docs/CVE-2025-9086.json", "name": "json"}, {"url": "https://curl.se/docs/CVE-2025-9086.html", "name": "www"}, {"url": "https://hackerone.com/reports/3294999", "name": "issue"}], "descriptions": [{"lang": "en", "value": "1. A cookie is set using the `secure` keyword for `https://target` \n 2. curl is redirected to or otherwise made to speak with `http://target` (same \n hostname, but using clear text HTTP) using the same cookie set \n 3. The same cookie name is set - but with just a slash as path (`path=\\\"/\\\",`).\n Since this site is not secure, the cookie *should* just be ignored.\n4. A bug in the path comparison logic makes curl read outside a heap buffer\n boundary\n\nThe bug either causes a crash or it potentially makes the comparison come to\nthe wrong conclusion and lets the clear-text site override the contents of the\nsecure cookie, contrary to expectations and depending on the memory contents\nimmediately following the single-byte allocation that holds the path.\n\nThe presumed and correct behavior would be to plainly ignore the second set of\nthe cookie since it was already set as secure on a secure host so overriding\nit on an insecure host should not be okay."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-125 Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "shortName": "curl", "dateUpdated": "2026-01-08T09:51:46.552Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9086", "state": "PUBLISHED", "dateUpdated": "2026-01-08T09:51:46.552Z", "dateReserved": "2025-08-16T05:40:23.800Z", "assignerOrgId": "2499f714-1537-4658-8207-48ae4bb9eae9", "datePublished": "2025-09-12T05:10:03.815Z", "assignerShortName": "curl"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*", "matchCriteriaId": "4979D5F1-8D49-4EC0-AC6B-230636A10C34", "versionEndExcluding": "8.16.0", "versionStartIncluding": "8.13.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "1. A cookie is set using the `secure` keyword for `https://target` \n 2. curl is redirected to or otherwise made to speak with `http://target` (same \n hostname, but using clear text HTTP) using the same cookie set \n 3. The same cookie name is set - but with just a slash as path (`path=\\\"/\\\",`).\n Since this site is not secure, the cookie *should* just be ignored.\n4. A bug in the path comparison logic makes curl read outside a heap buffer\n boundary\n\nThe bug either causes a crash or it potentially makes the comparison come to\nthe wrong conclusion and lets the clear-text site override the contents of the\nsecure cookie, contrary to expectations and depending on the memory contents\nimmediately following the single-byte allocation that holds the path.\n\nThe presumed and correct behavior would be to plainly ignore the second set of\nthe cookie since it was already set as secure on a secure host so overriding\nit on an insecure host should not be okay."}], "id": "CVE-2025-9086", "lastModified": "2026-01-20T14:58:01.347", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-09-12T06:15:44.100", "references": [{"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "tags": ["Vendor Advisory", "Patch"], "url": "https://curl.se/docs/CVE-2025-9086.html"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "tags": ["Vendor Advisory"], "url": "https://curl.se/docs/CVE-2025-9086.json"}, {"source": "2499f714-1537-4658-8207-48ae4bb9eae9", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://hackerone.com/reports/3294999"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory", "Patch"], "url": "http://www.openwall.com/lists/oss-security/2025/09/10/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2026/01/msg00002.html"}], "sourceIdentifier": "2499f714-1537-4658-8207-48ae4bb9eae9", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "curl: libcurl: Curl out of bounds read for cookie path", "id": "2394750", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2394750"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-125", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-9086", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_core_services:1", "fix_state": "Fix deferred", "package_name": "curl", "product_name": "Red Hat JBoss Core Services"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Fix deferred", "package_name": "devspaces/code-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Fix deferred", "package_name": "devspaces-tech-preview/idea-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:trusted_profile_analyzer:2", "fix_state": "Fix deferred", "package_name": "rhtpa/rhtpa-trustification-service-rhel9", "product_name": "Red Hat Trusted Profile Analyzer"}], "public_date": "2025-09-12T05:10:03Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-9086\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-9086\nhttps://curl.se/docs/CVE-2025-9086.html\nhttps://curl.se/docs/CVE-2025-9086.json\nhttps://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6\nhttps://hackerone.com/reports/3294999"], "threat_severity": "Moderate"}

{"created": "2025-09-15T10:43:59.187814+00:00", "updated": "2025-09-15T10:43:59.187865+00:00", "vendors": ["curl", "curl$PRODUCT$curl"]}