CVE-2025-9086
Modified Modified - Updated After Analysis
BaseFortify

Publication date: 2025-09-12

Last updated on: 2026-06-02

Assigner: curl

Description
1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (`path='/'`). Since this site is not secure, the cookie *should* just be ignored. 4. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-12
Last Modified
2026-06-02
Generated
2026-06-16
AI Q&A
2025-09-12
EPSS Evaluated
2026-06-14
NVD
CVE-2025-9086
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
curl curl 8.16.0
curl curl 7.31.0
curl curl 8.15.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves a bug in curl's handling of cookies with the 'secure' attribute. When a cookie is set as secure on an HTTPS site, it should not be overridden by a cookie from the same hostname served over HTTP. However, due to a flaw in the path comparison logic, curl may read outside the allocated memory buffer, causing either a crash or allowing the insecure HTTP site to override the secure cookie. This behavior breaks the expected security model where secure cookies should only be sent over secure connections.

Impact Analysis

This vulnerability can lead to security issues such as the potential overriding of secure cookies by insecure HTTP responses. This could allow an attacker controlling the HTTP site or network to manipulate or hijack session cookies that were intended to be secure, potentially leading to session hijacking, data leakage, or other unauthorized actions. Additionally, the bug may cause curl to crash, leading to denial of service.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9086. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart