CVE-2025-9086
EUVD-2025-2901412.09.2025, 06:15
1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (`path=\"/\",`). Since this site is not secure, the cookie *should* just be ignored. 4. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| haxx | curl | 8.13.0 ≤ 𝑥 < 8.16.0 |
| debian | debian_linux | 11.0 |
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| Siemens | RUGGEDCOM RST2428P | 𝑥 < V3.3 | ADP |
| Siemens | RUGGEDCOM RST2428P | 𝑥 < V4.0 | ADP |
| Siemens | SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family | 𝑥 < V3.3 | ADP |
| Siemens | SCALANCE XCH328 | 𝑥 < V3.3 | ADP |
| Siemens | SCALANCE XCM324 | 𝑥 < V3.3 | ADP |
| Siemens | SCALANCE XCM328 | 𝑥 < V3.3 | ADP |
| Siemens | SCALANCE XCM332 | 𝑥 < V3.3 | ADP |
| Siemens | SCALANCE XRH334 \(24 V DC\, 8xFO\, CC\) | 𝑥 < V3.3 | ADP |
| Siemens | SCALANCE XRM334 \(230 V AC\, 12xFO\) | 𝑥 < V3.3 | ADP |
| Siemens | SCALANCE XRM334 \(230 V AC\, 8xFO\) | 𝑥 < V3.3 | ADP |
| Siemens | SCALANCE XRM334 \(230V AC\, 2x10G\, 24xSFP\, 8xSFP\+\) | 𝑥 < V3.3 | ADP |
| Siemens | SCALANCE XRM334 \(24 V DC\, 12xFO\) | 𝑥 < V3.3 | ADP |
| Siemens | SCALANCE XRM334 \(24 V DC\, 8xFO\) | 𝑥 < V3.3 | ADP |
| Siemens | SCALANCE XRM334 \(24V DC\, 2x10G\, 24xSFP\, 8xSFP\+\) | 𝑥 < V3.3 | ADP |
| Siemens | SCALANCE XRM334 \(2x230 V AC\, 12xFO\) | 𝑥 < V3.3 | ADP |
| Siemens | SCALANCE XRM334 \(2x230 V AC\, 8xFO\) | 𝑥 < V3.3 | ADP |
| Siemens | SCALANCE XRM334 \(2x230V AC\, 2x10G\, 24xSFP\, 8xSFP\+\) | 𝑥 < V3.3 | ADP |
| curl | curl | 𝑥 ≤ 8.15.0 | CNA |
| curl | curl | 𝑥 ≤ 8.14.1 | CNA |
| curl | curl | 𝑥 ≤ 8.14.0 | CNA |
| curl | curl | 𝑥 ≤ 8.13.0 | CNA |
Debian Releases
openSUSE / SLES Releases
openSUSE Product | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| curl |
| ||||||||||||||||||||||||||
| libcurl-devel |
| ||||||||||||||||||||||||||
| libcurl4 |
| ||||||||||||||||||||||||||
| libcurl4-32bit |
|
Red Hat Enterprise Linux Releases
Red Hat Product | |||||
|---|---|---|---|---|---|
| curl |
| ||||
| curl-minimal |
| ||||
| libcurl |
| ||||
| libcurl-devel |
| ||||
| libcurl-minimal |
|
Amazon Linux Releases
Amazon Package | |||||
|---|---|---|---|---|---|
| curl |
| ||||
| curl-debuginfo |
| ||||
| curl-debugsource |
| ||||
| curl-minimal |
| ||||
| curl-minimal-debuginfo |
| ||||
| libcurl |
| ||||
| libcurl-debuginfo |
| ||||
| libcurl-devel |
| ||||
| libcurl-minimal |
| ||||
| libcurl-minimal-debuginfo |
|
Common Weakness Enumeration
Vulnerability Media Exposure
References