CVE-2025-9086: Curl Cookie Path Heap Overflow

CVE ID: CVE-2025-9086

Severity: HIGH | CVSS: 7.5

Attack Vector: NETWORK | Published: September 12, 2025

Sources: 2 different security sources

Let Me Explain What Happened

Let me walk you through a vulnerability that affects curl, one of the most widely-used tools for transferring data across networks. This issue involves how curl handles cookies when you're redirected from a secure HTTPS connection to an insecure HTTP connection. When a specific sequence of events occurs, curl reads memory it shouldn't be touching—what we call an "out of bounds read"—which can either crash the application or, worse, allow an insecure website to override cookies that were supposed to be protected. Think of it like someone finding a way to replace the contents of a locked safe by exploiting a flaw in how the lock checks its combination.

A Bit More Detail

Here's what makes this particularly concerning: curl is embedded in countless applications, libraries, and even industrial control systems. The vulnerability was serious enough that both Microsoft and CISA issued advisories, with CISA specifically noting that Siemens SINEC OS products—used in ruggedized industrial networking equipment—are affected. The bug stems from a path comparison logic error that occurs when handling cookies during protocol downgrades from HTTPS to HTTP.

The Technical Specifics

Let me break down exactly how this vulnerability works, because understanding the mechanism helps you appreciate why it's dangerous:

• Attack Vector: NETWORK (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
• CVSS Score: 7.5 (HIGH severity according to NVD)
• Attack Complexity: Low—no special privileges or user interaction required
• Primary Impact: High availability impact (crashes), potential integrity impact (cookie override)
• CWE Classification: Not yet assigned in NVD data

Understanding the Vulnerability Sequence

The vulnerability follows a specific sequence of events. First, a cookie is set using the secure keyword for an HTTPS connection to a target hostname. This secure flag is supposed to protect the cookie from being transmitted over insecure connections. Second, curl is redirected to or otherwise made to communicate with the same hostname, but this time using plain HTTP instead of HTTPS. Third, the same cookie name is set again, but with just a slash as the path (path='/'). Since this second site is not secure, curl should simply ignore this cookie—the secure flag on the original cookie should prevent any override.

However, here's where the bug comes in: a flaw in the path comparison logic causes curl to read outside a heap buffer boundary. This heap buffer overflow happens because curl is trying to compare paths but ends up reading memory it shouldn't access. The result is either a crash (denial of service) or, depending on what data happens to be in that memory location, the comparison might come to the wrong conclusion and allow the insecure HTTP site to override the contents of the secure cookie.

Affected Products and Real-World Impact

According to CISA's advisory published on February 12, 2026, this vulnerability affects Siemens SINEC OS versions before V3.3. Specifically impacted are:

• RUGGEDCOM RST2428P (Product ID: 6GK6242-6PA00) running SINEC OS versions below 3.3
• Multiple other Siemens industrial networking products using vulnerable curl versions

Microsoft also acknowledged this vulnerability in their Security Response Center update on December 6, 2025, indicating that Windows components or applications using affected curl versions may be vulnerable. The curl project itself published detailed information at their security advisory page, including a HackerOne report that provides additional technical details.

What You Should Do About This

Let me guide you through the steps you need to take, starting with immediate actions and then moving to longer-term solutions:

• Right Now:
  • Identify affected systems: Inventory all systems running curl, paying special attention to embedded systems, industrial control systems, and any Siemens SINEC OS deployments. Check your curl version—any version containing the vulnerable path comparison code is at risk.
  • Assess exposure: Determine if your systems handle cookies during HTTPS-to-HTTP redirects. Systems that strictly enforce HTTPS-only connections have reduced exposure, but don't assume you're safe without verification.
  • Monitor for crashes: Watch for unexplained curl crashes or application failures that might indicate exploitation attempts. While the CVSS vector shows this primarily as an availability issue (A:H), the potential for cookie override means you should also monitor for unexpected authentication or session behavior.
  • Implement network controls: If possible, use network policies to prevent or log HTTPS-to-HTTP downgrades, especially for critical applications. This won't fix the vulnerability, but it reduces the attack surface.
• For the Long Term:
  • Update curl: Apply patches from the curl project as soon as they're available and tested in your environment. The curl security advisory at https://curl.se/docs/CVE-2025-9086.html will contain version-specific patch information.
  • Update Siemens products: For SINEC OS users, Siemens has released version 3.3 which addresses this vulnerability along with other third-party component issues. Plan your upgrade path carefully, as industrial systems often require maintenance windows and extensive testing.
  • Review cookie security policies: This is a good opportunity to audit how your applications handle cookies. Ensure you're using the secure flag appropriately, consider adding HttpOnly and SameSite attributes where applicable, and implement HSTS (HTTP Strict Transport Security) to prevent protocol downgrades.
  • Test thoroughly: Before deploying updates to production, especially in industrial environments, test in a staging environment that mirrors your production setup. Verify that the patch doesn't break existing functionality.

Detection and Hunting Guidance

If you're a security analyst or incident responder, here's what you should look for:

• Application crashes: Look for segmentation faults or unexpected terminations in processes using curl, particularly those handling HTTP/HTTPS traffic with cookie management.
• Protocol downgrades: Monitor for HTTPS-to-HTTP redirects, especially those involving the same hostname. This pattern is central to the exploitation sequence.
• Cookie anomalies: Watch for unexpected changes to secure cookies, particularly if they occur in conjunction with protocol downgrades or mixed-content scenarios.
• Memory corruption indicators: Heap corruption detection tools may catch exploitation attempts if you have them deployed.

Going Deeper: The Security Implications

While the NVD CVSS vector rates this primarily as an availability issue (C:N/I:N/A:H), I want you to understand why the integrity implications might be more serious than the score suggests. The ability to override a secure cookie—even if it depends on specific memory contents—represents a violation of the browser security model that applications rely on. If an attacker can control or predict the memory layout (which is sometimes possible through heap spraying or other techniques), they might be able to reliably override secure cookies, leading to session hijacking or authentication bypass.

The fact that this requires no privileges (PR:N), no user interaction (UI:N), and has low attack complexity (AC:L) makes it particularly concerning for automated exploitation. An attacker could potentially set up a malicious site that triggers redirects designed to exploit this vulnerability in visitors' applications that use curl.

For industrial control systems like those running Siemens SINEC OS, the availability impact is especially critical. These systems often run in environments where unexpected crashes can have safety implications or cause operational disruptions. The combination of network accessibility and the potential for denial of service makes this a priority patch for OT environments.

Timeline of Disclosure

Understanding when information became available helps you assess your response timeline:

• September 10, 2025: Initial disclosure on the oss-security mailing list
• September 12, 2025: Official CVE publication in the National Vulnerability Database
• December 6, 2025: Microsoft Security Response Center published their advisory
• February 12, 2026: CISA published ICS advisory specifically addressing Siemens SINEC OS impact

This timeline shows that the vulnerability has been public knowledge for several months, which means you should treat patching as urgent if you haven't already addressed it.

Where I Found This Information

• National Vulnerability Database - CVE-2025-9086 (Authoritative source for CVSS scoring and technical details)
• CISA ICS Advisory ICSA-26-043-06: Siemens SINEC OS (Credibility: 10/10)
• Microsoft Security Response Center - CVE-2025-9086 (Credibility: 10/10)
• curl Security Advisory - CVE-2025-9086
• HackerOne Report #3294999
• OSS-Security Mailing List Disclosure

Note: This analysis is based on publicly available security intelligence from multiple authoritative sources. The vulnerability affects real-world systems including industrial control equipment. Always test updates in a non-production environment before deploying to critical systems, and follow your organization's change management procedures, especially for OT environments.