curl / Mailing Lists / curl-library / Single Mail

Buy commercial curl support. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder Daniel himself.

Re: CVE-2025-9086 introduced later than originally assessed?

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Mon, 5 Jan 2026 23:19:29 +0100 (CET)

On Sun, 4 Jan 2026, Samuel Henrique via curl-library wrote:

> I was investigating CVE-2025-9086 for Debian
>
> Running a git bisect on the upstream project [0], I've landed on the following
> commit as introducing the ASAN failure:
> https://github.com/curl/curl/commit/1aea05a6c2699e80c75936d58569851555acd603

Thanks all of you for doing this.

With your experiences and me reviewing this commit again, I am bound to agree
with you. This vulnerability was introduced in the commit mentioned above,
which was first included in curl 8.13.0.

PR to fix: https://github.com/curl/curl-www/pull/532

I believe the mistake was entirely mine and happened simply because I was
sloppy and only manually went through the cookie.c history using git blame.

-- 
  / daniel.haxx.se || https://rock-solid.curl.dev
-- 
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html

Received on 2026-01-05

This message: [ Message body ]
Next message: Stefan Eissing via curl-library: "Re: Rate limit regressions in libcurl 8.18.0 vs 8.17.0"
Previous message: Dmitry Karpov via curl-library: "Re: Rate limit regressions in libcurl 8.18.0 vs 8.17.0"
In reply to: Samuel Henrique via curl-library: "CVE-2025-9086 introduced later than originally assessed?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]