CVE-2025-9086

1. A cookie is set using the `secure` keyword for `https://target`<br /> 2. curl is redirected to or otherwise made to speak with `http://target` (same<br /> hostname, but using clear text HTTP) using the same cookie set<br /> 3. The same cookie name is set - but with just a slash as path (`path=&amp;#39;/&amp;#39;`).<br /> Since this site is not secure, the cookie *should* just be ignored.<br /> 4. A bug in the path comparison logic makes curl read outside a heap buffer<br /> boundary<br /> <br /> The bug either causes a crash or it potentially makes the comparison come to<br /> the wrong conclusion and lets the clear-text site override the contents of the<br /> secure cookie, contrary to expectations and depending on the memory contents<br /> immediately following the single-byte allocation that holds the path.<br /> <br /> The presumed and correct behavior would be to plainly ignore the second set of<br /> the cookie since it was already set as secure on a secure host so overriding<br /> it on an insecure host should not be okay.