Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN595 _____________________________________________________________________ DATE : 10/09/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running curl version prior to 8.16.0. ===================================================================== https://curl.se/docs/CVE-2025-9086.html https://curl.se/docs/CVE-2025-10148.html _____________________________________________________________________ CVE-2025-9086 Out of bounds read for cookie path Project curl Security Advisory, September 10 2025 - Permalink VULNERABILITY A cookie is set using the secure keyword for https://target curl is redirected to or otherwise made to speak with http://target (same hostname, but using clear text HTTP) using the same cookie set The same cookie name is set - but with just a slash as path (path="/"). Since this site is not secure, the cookie should just be ignored. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay. INFO The attacker needs to be in control of the http:// site that uses the same name as the https:// version, or otherwise possess MITM capability, which probably makes this problem the lesser one. The attacker has no way to control or guess what is in the heap memory following the path buffer that is being read out of bounds, making it a fragile operation. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2025-9086 to this issue. CWE-125: Out-of-bounds Read Severity: Low AFFECTED VERSIONS Affected versions: curl 7.31.0 to and including 8.15.0 Not affected versions: curl < 7.31.0 and >= 8.16.0 Introduced-in: https://github.com/curl/curl/commit/f24dc09d209a2f91ca38d libcurl is used by many applications, but not always advertised as such! This bug is considered a C mistake. It is likely to have been avoided had we not been using C. This flaw does not affect the curl command line tool. While the curl tool can be tricked to override the cookie in the same way, that does not make it a vulnerability for the tool. SOLUTION Starting in curl 8.16.0, this mistake is fixed. Fixed-in: https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6 RECOMMENDATIONS A - Upgrade curl to version 8.16.0 B - Apply the patch to your local version C - Avoid using http:// for cookies TIMELINE This issue was reported to the curl project on August 11, 2025. We contacted distros@openwall on September 5, 2025. curl 8.16.0 was released on September 10 2025 around 06:00 UTC, coordinated with the publication of this advisory. The curl security team is not aware of any active exploits using this vulnerability. CREDITS Reported-by: Google Big Sleep Patched-by: Daniel Stenberg Thanks a lot! _____________________________________________________________________ CVE-2025-10148 predictable WebSocket mask Project curl Security Advisory, September 10 2025 - Permalink VULNERABILITY curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy. INFO This exact scenario is warned about in the security section of the WebSocket RFC 6455 and is the very reason the mask should be updated for every outgoing frame. For this bug to become a real-life problem, the libcurl-using application must be communicating through such a (defective) proxy that confuses a WebSocket communication for HTTP traffic. Further, to trigger the problem it requires the traffic to be done using clear text HTTP / WebSocket (ws://) and not over TLS (wss://). The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2025-10148 to this issue. CWE-340: Generation of Predictable Numbers or Identifiers Severity: Low AFFECTED VERSIONS Affected versions: curl 7.86.0 to and including 8.15.0 Not affected versions: curl < 7.86.0 and >= 8.16.0 Introduced-in: https://github.com/curl/curl/commit/d78e129d50b2d1 WebSocket was considered experimental before 7.86.0 and therefore we do not consider earlier versions vulnerable. libcurl is used by many applications, but not always advertised as such! This bug is not considered a C mistake. It is not likely to have been avoided had we not been using C. This flaw also affects the curl command line tool. SOLUTION Starting in curl 8.16.0, this mistake is fixed. Fixed-in: https://github.com/curl/curl/commit/84db7a9eae8468c0445b15aa806fa RECOMMENDATIONS A - Upgrade curl to version 8.16.0 B - Apply the patch to your local version C - Avoid using ws:// TIMELINE This issue was reported to the curl project on September 8, 2025. We contacted distros@openwall on September 9, 2025. curl 8.16.0 was released on September 10 2025 around 06:00 UTC, coordinated with the publication of this advisory. The curl security team is not aware of any active exploits using this vulnerability. CREDITS Reported-by: Calvin Ruocco (Vector Informatik GmbH) Patched-by: Daniel Stenberg Thanks a lot! ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================