Vulnerabilities
Misconfiguration
Compliance
CVE Vulnerabilities

CVE-2025-9086

Published: Sep 12, 2025 | Modified: Sep 12, 2025
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
5.3 MODERATE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Ubuntu
LOW
Vulnerability-free packages from our partners
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2025-9086
CWEhttps://cwe.mitre.org/data/definitions/.html
  1. A cookie is set using the secure keyword for https://target
  2. curl is redirected to or otherwise made to speak with http://target (same hostname, but using clear text HTTP) using the same cookie set
  3. The same cookie name is set - but with just a slash as path (path=/). Since this site is not secure, the cookie should just be ignored.
  4. A bug in the path comparison logic makes curl read outside a heap buffer boundary

The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path.

The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.

Affected Software

Name Vendor Start Version End Version
Curl Ubuntu devel *
Curl Ubuntu esm-infra-legacy/trusty *
Curl Ubuntu esm-infra/bionic *
Curl Ubuntu esm-infra/focal *
Curl Ubuntu esm-infra/xenial *
Curl Ubuntu jammy *
Curl Ubuntu noble *
Curl Ubuntu plucky *
Curl Ubuntu upstream *

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2025 Aqua Security Software Ltd.   Privacy Policy | Terms of Use