CVE-2025-9086

Published Sep 12, 2025

Last updated 2 months ago

CVSS high 7.5

Overview

Description
1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (`path=\"/\",`). Since this site is not secure, the cookie *should* just be ignored. 4. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.
Source
2499f714-1537-4658-8207-48ae4bb9eae9
NVD status
Analyzed
Products
curl, debian_linux

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity
HIGH

Weaknesses

nvd@nist.gov
CWE-125

Social media

Hype score
Not currently trending

  1. 📌 Security Alert for IT Professionals Rocky Linux has released an important security update for curl (RLSA-2026:1350). This addresses vulnerability CVE-2025-9086 with CVSS score 5.3. Read more:👉 https://t.co/0RY7WBdYUX #Security #RockyLinux https://t.co/yrE9O8r5kb

    @Cezar_H_Linux

    31 Jan 2026

    74 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 📌 Security Alert for IT Professionals Rocky Linux has released an important security update for curl (RLSA-2026:1350). This addresses vulnerability CVE-2025-9086 with CVSS score 5.3. Read more: 👉 https://t.co/0RY7WBdYUX #Security #RockyLinux https://t.co/pLcV4UlDkq

    @Cezar_H_Linux

    31 Jan 2026

    78 Impressions

    2 Retweets

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  3. Critical security patch released for #Debian 11 "bullseye" systems. Vulnerability CVE-2025-9086 in curl library could lead to memory corruption and system instability. Read more: 👉 https://t.co/l2v0PjVq50 #Security https://t.co/oRP1G1gv9b

    @Cezar_H_Linux

    5 Jan 2026

    68 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Android vulnerabilities are on the rise: CVE-2025-9086 now at 39.8% market share. Stay informed: [https://t.co/ReJ5dWnTRd](https://t.co/tej1yYFNGt) Created by AI. #Android #Cybersecurity

    @Funker_Dev

    19 Oct 2025

    106 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2025-9086 dominates with 21.4% share in Android exploits; see full analysis here: https://t.co/tej1yYFNGt Created by AI. #Android #Cybersecurity

    @Funker_Dev

    11 Oct 2025

    42 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. ⚠️Vulnerabilidad en cURL ❗CVE-2025-9086 ➡️Más info: https://t.co/GcvHzxjD8h https://t.co/dUBwCksb0q

    @CERTpy

    23 Sept 2025

    122 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. 🚨 CRITICAL: #Fedora 42 users must patch #curl now! CVE-2025-9086: Out-of-bounds read vuln (cookie path) CVE-2025-10148: Predictable WebSocket mask Risks: DoS, info disclosure, MiTM attacks. Read more: 👉 https://t.co/CLbfkTYifp #Security https://t.co/cqMgLtbGaD

    @Cezar_H_Linux

    21 Sept 2025

    55 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Android exploit market shows a shift with CVE-2025-9086 leading new threats. Stay informed: https://t.co/tej1yYFNGt Created by AI. #Android #Cybersecurity

    @Funker_Dev

    18 Sept 2025

    36 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. CVE-2025-9086 1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using… https://t.co/n9yBQbg4mz

    @CVEnew

    12 Sept 2025

    464 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. curlでSeverity: Lowの脆弱性2件 CVE-2025-10148 predictable WebSocket mask https://t.co/HhmfZBZS2a CVE-2025-9086 Out of bounds read for cookie path https://t.co/cFIv6r9MgP

    @autumn_good_35

    10 Sept 2025

    53 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. CVE-2025-9086: Out of bounds read for cookie path https://t.co/8o5MjofGlX #bugbounty #bugbountytips #bugbountytip

    @bountywriteups

    10 Sept 2025

    693 Impressions

    1 Retweet

    8 Likes

    2 Bookmarks

    1 Reply

    0 Quotes

Configurations

Related CVEs

  1. MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, local attacker can exploit a buffer overflow vulnerability in munged (the MUNGE authentication daemon) to leak cryptographic key material from process memory. With the leaked key material, the attacker could forge arbitrary MUNGE credentials to impersonate any user (including root) to services that rely on MUNGE for authentication. The vulnerability allows a buffer overflow by sending a crafted message with an oversized address length field, corrupting munged's internal state and enabling extraction of the MAC subkey used for credential verification. This vulnerability is fixed in 0.5.18.CVE-2026-25506
  2. Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t he fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with — specifically by ta mpering with the the `vecsize` value read by `readOctetVector` — a 32-bit integer overflow can occur, causing `std::vector ::resize` to request an attacker-controlled size and quickly trigger OOM and remote process termination. Versions 3.4.1, 3 .3.1, and 2.6.11 patch the issue.CVE-2025-64098
  3. Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An un authenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are craft ed to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code write s past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruption ( RCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.CVE-2025-62799
  4. Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with — specially `readOctetVector` reads an unchecked `vecsize` that is propagated unchanged into `readData` as the `length` parameter — the attacker-contro lled `vecsize` can trigger a 32-bit integer overflow during the `length` calculation. That overflow can cause large alloca tion attempt that quickly leads to OOM, enabling a remotely-triggerable denial-of-service and remote process termination. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.CVE-2025-62602
  5. Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). ParticipantGenericMessage is the DDS Security control-message container that carries not only the handshake but also on going security-control traffic after the handshake, such as crypto-token exchange, rekeying, re-authentication, and token delivery for newly appearing endpoints. On receive, the CDR parser is invoked first and deserializes the `message_data` (i .e., the `DataHolderSeq`) via the `readParticipantGenericMessage → readDataHolderSeq` path. The `DataHolderSeq` is parsed sequentially: a sequence count (`uint32`), and for each DataHolder the `class_id` string (e.g. `DDS:Auth:PKI-DH:1.0+Req`), string properties (a sequence of key/value pairs), and binary properties (a name plus an octet-vector). The parser operat es at a stateless level and does not know higher-layer state (for example, whether the handshake has already completed), s o it fully unfolds the structure before distinguishing legitimate from malformed traffic. Because RTPS permits duplicates, delays, and retransmissions, a receiver must perform at least minimal structural parsing to check identity and sequence n umbers before discarding or processing a message; the current implementation, however, does not "peek" only at a minimal header and instead parses the entire `DataHolderSeq`. As a result, prior to versions 3.4.1, 3.3.1, and 2.6.11, this parsi ng behavior can trigger an out-of-memory condition and remotely terminate the process. Versions 3.4.1, 3.3.1, and 2.6.11 p atch the issue.CVE-2025-62603

References

Sources include official advisories and independent security research.