Heap Buffer Vulnerability in cURL Exposing Secure Cookies
CVE-2025-9086

7.5HIGH

Key Information:

Vendor: Curl
Status: Curl
Vendor: CVE Published:; 12 September 2025

What is CVE-2025-9086?

A vulnerability in cURL allows an attacker to exploit a flaw in the handling of secure cookies. When a secure cookie is set for a secure connection and a subsequent request is made to the same hostname over an insecure HTTP connection, a bug in the path comparison logic may incorrectly allow the insecure site to override the secure cookie. This behavior can lead to unexpected results, including potential crashes or data exposure. The issue stems from an incorrect buffer handling that reads outside the allocated memory, presenting a significant security risk for applications relying on secure cookie mechanisms.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

curl 8.15.0

curl 8.14.1

curl 8.14.0

References

https://curl.se/docs/CVE-2025-9086.json

https://curl.se/docs/CVE-2025-9086.html

https://hackerone.com/reports/3294999

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 12, 2025
Vulnerability Reserved
Aug 16, 2025

Credit

Google Big Sleep

Daniel Stenberg

JSON

Curl

What is CVE-2025-9086?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.