CVE-2025-9086 found in deb/debian/curl@8.14.1-2

Important

Risk: 2.12 (Low) CVSS: 7.5

Description

A cookie is set using the secure keyword for https://target
curl is redirected to or otherwise made to speak with http://target (same hostname, but using clear text HTTP) using the same cookie set
The same cookie name is set - but with just a slash as path (path='/'). Since this site is not secure, the cookie should just be ignored.
A bug in the path comparison logic makes curl read outside a heap buffer boundary

The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path.

The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.

Affected component

The vulnerability is in pkg:deb/debian/curl@8.14.1-2, found in artifacts pkg:oci/coreutils?repository_url=registry.opencode.de/open-code/oci/coreutils&tag=latest-amd64&arch=amd64, pkg:oci/coreutils?repository_url=registry.opencode.de/open-code/oci/coreutils&tag=latest-arm64&arch=arm64, pkg:oci/coreutils?repository_url=registry.opencode.de/open-code/oci/coreutils&tag=latest-arm64-debug&arch=arm64, pkg:oci/coreutils?repository_url=registry.opencode.de/open-code/oci/coreutils&tag=latest-amd64-debug&arch=amd64.

Recommended fix

No fix is available.

Additional guidance for mitigating vulnerabilities

Visit our guides on devguard.org

See more details...

Path to component

 %%{init: { 'theme':'base', 'themeVariables': {
'primaryColor': '#F3F3F3',
'primaryTextColor': '#0D1117',
'primaryBorderColor': '#999999',
'lineColor': '#999999',
'secondaryColor': '#ffffff',
'tertiaryColor': '#ffffff'
} }}%%
 flowchart TD
root(["root"]) --- sbom_DEFAULT(["sbom:DEFAULT"])
sbom_DEFAULT(["sbom:DEFAULT"]) --- debian_curl(["debian/curl"])

classDef default stroke-width:2px

Risk Factor	Value	Description
Vulnerability Depth	`2`	The vulnerability is in a dependency of a dependency in your project. It is 2 levels deep.
EPSS	`0.10 %`	The exploit probability is very low. The vulnerability is unlikely to be exploited in the next 30 days.
EXPLOIT	`Not available`	We did not find any exploit available. Neither in GitHub repositories nor in the Exploit-Database. There are no script kiddies exploiting this vulnerability.
CVSS-BE	`9.3`	- Exploiting this vulnerability significantly impacts availability.
CVSS-B	`7.5`	- The vulnerability can be exploited over the network without needing physical access. - It is easy for an attacker to exploit this vulnerability. - An attacker does not need any special privileges or access rights. - No user interaction is needed for the attacker to exploit this vulnerability. - The impact is confined to the system where the vulnerability exists. - There is a high impact on the availability of the system.

More details can be found in DevGuard

Interact with this vulnerability

You can use the following slash commands to interact with this vulnerability:

👍 Reply with this to acknowledge and accept the identified risk.

/accept I accept the risk of this vulnerability, because ...

⚠️ Mark the risk as false positive: Use one of these commands if you believe the reported vulnerability is not actually a valid issue.

/component-not-present The vulnerable component is not included in the artifact.

/vulnerable-code-not-present The component is present, but the vulnerable code is not included or compiled.

/vulnerable-code-not-in-execute-path The vulnerable code exists, but is never executed at runtime.

/vulnerable-code-cannot-be-controlled-by-adversary Built-in protections prevent exploitation of this vulnerability.

/inline-mitigations-already-exist The vulnerable code cannot be controlled or influenced by an attacker.

🔁 Reopen the risk: Use this command to reopen a previously closed or accepted vulnerability.

/reopen ...