PHP Input Validation Vulnerability (CVE‑2022‑31629) Allows Malicious Cookie Injection
A PHP input‑validation flaw (CVE‑2022‑31629) in several versions lets attackers inject malicious __Host‑ or __Secure‑ prefixed cookies, which the application may accept and act upon, and the issue can be mitigated by upgrading to patched PHP releases.
Vulnerability Description
PHP is an open‑source scripting language commonly embedded in HTML for web development. Certain PHP versions contain an input‑validation flaw that enables an attacker to set a malicious cookie in a victim’s browser. The cookie is formatted with the __Host- or __Secure- prefix, which PHP treats as a legitimate cookie and may be used to trick the application into performing unauthorized actions.
Affected Versions
The vulnerability affects the following version ranges:
[email protected] – 8.1.11 (exclusive)
[email protected] – 8.0.24 (exclusive)
php@< 7.4.31 (all earlier releases)
Remediation
Upgrade PHP to version 7.4.31, 8.0.24, 8.1.11, or any later release where the issue has been fixed.
Reference Information
Vulnerability Name
PHP Input Validation Improper Handling
Vulnerability Type
Improper Input Validation
Discovery Date
2022‑09‑29
Impact Scope
Wide
MPS ID
MPS‑2022‑12658
CVE ID
CVE‑2022‑31629
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Laravel Tech Community
Specializing in Laravel development, we continuously publish fresh content and grow alongside the elegant, stable Laravel framework.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.