Home > Vulnerability Database > CVE-2025-9086

Mend.io Vulnerability Database

CVE-2025-9086

Good to know:

Date: September 10, 2025

Out of bounds read for cookie path in curl 7.31.0 to and including 8.15.0. An attacker needs to be in control of the `http://` site that uses the same name as the `https://` version, or otherwise possess MITM capability, which probably makes this problem the lesser one. The attacker has no way to control or guess what is in the heap memory following the path buffer that is being read out of bounds, making it a fragile operation. The vulnerability is fixed in 8.16.0.

Severity Score

5.3

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-9086

Url: https://seclists.org/oss-sec/2025/q3/160

Url: https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6

Url: https://www.mend.io/vulnerability-database/CVE-2025-9086

Severity Score

5.3

Weakness Type (CWE)

Out-of-bounds Read

CWE-125

Top Fix

Upgrade Version

Upgrade to version libcurl - null;https://github.com/curl/curl.git - curl-8_16_0

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2025-9086

Good to know:

Date: September 10, 2025

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?