← back
CVE-2022-31629

$_COOKIE names string replacement (. -> _): cookie integrity vulnerabilities

CVSS 6.5 MEDIUMEPSS 49.3%CWE-1284CWE-20
In short

PHP automatically converts dots in cookie names to underscores, allowing attackers to bypass security protections meant to prevent tampering with sensitive cookies. An attacker can set a regular cookie that PHP mistakenly treats as a protected one, potentially compromising security.

Technical detail

Attackers can exploit PHP's cookie name sanitization (dot-to-underscore conversion) to bypass `__Host-` and `__Secure-` cookie prefixes, which are designed to prevent cookie tampering. By crafting a cookie name with dots that resolves to a protected prefix after conversion, an attacker on the same network or site can inject malicious cookies that the application trusts as secure, undermining cookie integrity validation.

Summary generated and translated by AI from the official description.
In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Affected products
PHP Group · PHP

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://bugs.php.net/bug.php?id=81727https://lists.debian.org/debian-lts-announce/2022/12/msg00030.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2L5SUVYGAKSWODUQPZFBUB3AL6E6CSEV/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJZK3X6B7FBE32FETDSMRLJXTFTHKWSY/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSJVPJTX7T3J5V7XHR4MFNHZGP44R5XE/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VI3E6A3ZTH2RP7OMLJHSVFIEQBIFM6RF/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNIEABBH5XCXLFWWZYIDE457SPEDZTXV/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGWIK3HMBACERGB4TSBB2JUOMPYY2VKY/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJZK3X6B7FBE32FETDSMRLJXTFTHKWSY/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGWIK3HMBACERGB4TSBB2JUOMPYY2VKY/https://security.gentoo.org/glsa/202211-03https://security.netapp.com/advisory/ntap-20221209-0001/