Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <53prr40r-31p6-rnn3-5q58-4511n287q7q8@unkk.fr>
Date: Wed, 10 Sep 2025 07:53:14 +0200 (CEST)
From: Daniel Stenberg <daniel@...x.se>
To: curl security announcements -- curl users <curl-users@...ts.haxx.se>, 
    curl-announce@...ts.haxx.se, libcurl hacking <curl-library@...ts.haxx.se>, 
    oss-security@...ts.openwall.com
Subject: [SECURITY ADVISORY] curl: CVE-2025-9086: Out of bounds read for
 cookie path

Out of bounds read for cookie path
==================================

Project curl Security Advisory, September 10 2025 -
[Permalink](https://curl.se/docs/CVE-2025-9086.html)

VULNERABILITY
-------------

1. A cookie is set using the `secure` keyword for `https://target`
2. curl is redirected to or otherwise made to speak with `http://target` (same
    hostname, but using clear text HTTP) using the same cookie set
3. The same cookie name is set - but with just a slash as path (`path="/"`).
    Since this site is not secure, the cookie *should* just be ignored.
4. A bug in the path comparison logic makes curl read outside a heap buffer
    boundary

The bug either causes a crash or it potentially makes the comparison come to
the wrong conclusion and lets the clear-text site override the contents of the
secure cookie, contrary to expectations and depending on the memory contents
immediately following the single-byte allocation that holds the path.

The presumed and correct behavior would be to plainly ignore the second set of
the cookie since it was already set as secure on a secure host so overriding
it on an insecure host should not be okay.

INFO
----

The attacker needs to be in control of the `http://` site that uses the same
name as the `https://` version, or otherwise possess MITM capability, which
probably makes this problem the lesser one.

The attacker has no way to control or guess what is in the heap memory
following the path buffer that is being read out of bounds, making it a
fragile operation.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2025-9086 to this issue.

CWE-125: Out-of-bounds Read

Severity: Low

AFFECTED VERSIONS
-----------------

- Affected versions: curl 7.31.0 to and including 8.15.0
- Not affected versions: curl < 7.31.0 and >= 8.16.0
- Introduced-in: https://github.com/curl/curl/commit/f24dc09d209a2f91ca38d

libcurl is used by many applications, but not always advertised as such!

This bug is considered a *C mistake*. It is likely to have been avoided had we
not been using C.

This flaw does not affect the curl command line tool. While the curl tool can
be tricked to override the cookie in the same way, that does not make it a
vulnerability for the tool.

SOLUTION
------------

Starting in curl 8.16.0, this mistake is fixed.

- Fixed-in: https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6

RECOMMENDATIONS
--------------

  A - Upgrade curl to version 8.16.0

  B - Apply the patch to your local version

  C - Avoid using `http://` for cookies

TIMELINE
--------

This issue was reported to the curl project on August 11, 2025. We contacted
distros@...nwall on September 5, 2025.

curl 8.16.0 was released on September 10 2025 around 06:00 UTC, coordinated
with the publication of this advisory.

The curl security team is not aware of any active exploits using this
vulnerability.

CREDITS
-------

- Reported-by: Google Big Sleep
- Patched-by: Daniel Stenberg

Thanks a lot!

-- 

  / daniel.haxx.se || https://rock-solid.curl.dev

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.