CVE-2025-9086 (LOW): detected in Lambda Docker Images. #351
Description
CVE Details
| CVE ID | Severity | Affected Package | Installed Version | Fixed Version | Date Published | Date of Scan |
|---|---|---|---|---|---|---|
| CVE-2025-9086 | LOW |
curl |
8.3.0-1.amzn2.0.9 |
8.3.0-1.amzn2.0.10 |
2025-09-12T06:15:44.1Z |
2025-11-11T10:18:25.192063567Z |
Affected Docker Images
| Image Name | SHA |
|---|---|
public.ecr.aws/lambda/provided:al2 |
public.ecr.aws/lambda/provided@sha256:eccee0bbf3883dc0941d7fab4a3caf9da71eed2a753f31701204d186121ca569 |
public.ecr.aws/lambda/python:3.11 |
public.ecr.aws/lambda/python@sha256:617e4394c39c80dbb87dda4e70013685e1d90310e61b8d0a6b2d959c824e47ae |
public.ecr.aws/lambda/python:3.10 |
public.ecr.aws/lambda/python@sha256:bbd9d4af40145fd0d54895b198ec0dec1853252c840c7f88b4d47ea1c99dd9e7 |
public.ecr.aws/lambda/python:3.9 |
public.ecr.aws/lambda/python@sha256:aac6fee9957a339fc6f506aeaf5d0e63d8e1386bb1b90b886a24c5284de97fbb |
public.ecr.aws/lambda/java:17 |
public.ecr.aws/lambda/java@sha256:16b915d7e4fde6c25fa87ba1fe2b9e3360ded2e513ee559d944e812ca88fb341 |
public.ecr.aws/lambda/java:11 |
public.ecr.aws/lambda/java@sha256:616af229e7078e598b3acdab623d67eb88913a8ab30febebf048e833a7afd2a9 |
public.ecr.aws/lambda/java:8.al2 |
public.ecr.aws/lambda/java@sha256:71239ce0c42100fb4541e320074fda17c5476c1f426efd0229dc4bd135f0d3ae |
public.ecr.aws/lambda/ruby:3.2 |
public.ecr.aws/lambda/ruby@sha256:d8bec33d637eb736e96c2fdf91aec6796c7e1b29efe26a567209f4ce55e4fb3e |
Description
- A cookie is set using the
securekeyword forhttps://target
- curl is redirected to or otherwise made to speak with
http://target(same
hostname, but using clear text HTTP) using the same cookie set - The same cookie name is set - but with just a slash as path (
path='/').
Since this site is not secure, the cookie should just be ignored. - A bug in the path comparison logic makes curl read outside a heap buffer
boundary
The bug either causes a crash or it potentially makes the comparison come to
the wrong conclusion and lets the clear-text site override the contents of the
secure cookie, contrary to expectations and depending on the memory contents
immediately following the single-byte allocation that holds the path.
The presumed and correct behavior would be to plainly ignore the second set of
the cookie since it was already set as secure on a secure host so overriding
it on an insecure host should not be okay.
Remediation Steps
- Update the affected package
curlfrom version8.3.0-1.amzn2.0.9to8.3.0-1.amzn2.0.10.
About this issue
- This issue may not contain all the information about the CVE nor the images it affects.
- This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
- For more, visit Lambda Watchdog.
- This issue was created automatically by Lambda Watchdog.