Heap Buffer Vulnerability in cURL Exposing Secure Cookies
CVE-2025-9086

Currently unrated

Key Information:

Vendor: Curl
Status: Curl
Vendor: CVE Published:; 12 September 2025

What is CVE-2025-9086?

A vulnerability in cURL allows an attacker to exploit a flaw in the handling of secure cookies. When a secure cookie is set for a secure connection and a subsequent request is made to the same hostname over an insecure HTTP connection, a bug in the path comparison logic may incorrectly allow the insecure site to override the secure cookie. This behavior can lead to unexpected results, including potential crashes or data exposure. The issue stems from an incorrect buffer handling that reads outside the allocated memory, presenting a significant security risk for applications relying on secure cookie mechanisms.

Affected Version(s)

curl 8.15.0

curl 8.14.1

curl 8.14.0

References

https://curl.se/docs/CVE-2025-9086.json

https://curl.se/docs/CVE-2025-9086.html

https://hackerone.com/reports/3294999

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 12, 2025
Vulnerability Reserved
Aug 16, 2025

Credit

Google Big Sleep

Daniel Stenberg

Curl

What is CVE-2025-9086?

Affected Version(s)

References

Timeline

Credit