What is the CVSS score of CVE-2025-9086?

CVE-2025-9086 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of Curl are affected by CVE-2025-9086?

Organizations using 1. A cookie face notable risk from CVE-2025-9086, a out-of-bounds read vulnerability rated CVSS 7.5. Exploitation could compromise the security of affected deployments.. A patch is available.

Is there a public PoC exploit available for CVE-2025-9086?

Yes, a public proof-of-concept exploit is available for CVE-2025-9086. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-9086?

Within 30 days: Identify all affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Curl CVE-2025-9086

HIGH

Out-of-bounds Read (CWE-125)

2025-09-12 2499f714-1537-4658-8207-48ae4bb9eae9

Buffer Overflow Information Disclosure Red Hat Curl Debian Linux Suse

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:11 vuln.today

Patch released

Mar 28, 2026 - 19:11 nvd

Patch available

PoC Detected

Jan 20, 2026 - 14:58 vuln.today

Public exploit code

CVE Published

Sep 12, 2025 - 06:15 nvd

HIGH 7.5

DescriptionNVD

A cookie is set using the secure keyword for https://target
curl is redirected to or otherwise made to speak with http://target (same

hostname, but using clear text HTTP) using the same cookie set

The same cookie name is set - but with just a slash as path (path=\"/\",).

Since this site is not secure, the cookie *should* just be ignored.

A bug in the path comparison logic makes curl read outside a heap buffer

boundary

The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path.

The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.

AnalysisAI

Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Out-of-bounds Read (CWE-125), which allows attackers to read data from memory outside the intended buffer boundaries. 1. A cookie is set using the secure keyword for https://target 2. curl is redirected to or otherwise made to speak with http://target (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (path=\"/\",). Since this site is not secure, the cookie *should* just be ignored. 4. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay. Affected products include: Haxx Curl, Debian Debian Linux.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate array indices and buffer lengths. Use memory-safe languages. Enable AddressSanitizer during testing.