CVE-2025-9086: 
cURL vulnerability analysis and mitigation

CVE-2025-9086 is a vulnerability discovered in curl versions 7.31.0 through 8.15.0, identified as an out-of-bounds read issue for cookie path handling. The vulnerability was reported on August 11, 2025, and publicly disclosed on September 10, 2025. This security flaw affects the libcurl library implementation, specifically impacting how it handles secure cookies when transitioning between HTTPS and HTTP connections (curl docs).

The vulnerability occurs in a specific sequence where a cookie is set using the 'secure' keyword for an HTTPS target, followed by a redirect to the same hostname over HTTP, where the same cookie name is set with a path='/'. A bug in the path comparison logic causes curl to read outside a heap buffer boundary. The CVSS v3.1 base score is 7.5 (High) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The issue is classified as CWE-125: Out-of-bounds Read (curl docs, NVD).

The vulnerability can result in either a crash or potentially incorrect comparison results, allowing a clear-text site to override the contents of a secure cookie. This behavior contradicts the expected security model where secure cookies should not be modifiable by non-secure sites. The impact is considered low severity by curl developers due to the limited control attackers have over the heap memory contents and the requirement for either control of the HTTP site or MITM capabilities (curl docs).

The vulnerability has been fixed in curl version 8.16.0. Users are recommended to upgrade to this version or later. Alternative mitigations include applying the security patch to local versions or avoiding the use of HTTP for cookies. The fix was implemented through a commit that corrects the path comparison logic (curl docs).