CakePHP 2.5.9 Released
The CakePHP core team is ready to announce the immediate availability of CakePHP 2.5.9. These releases contain important security updates for applications using prefix routing.
Security Issues
There are two issues that can impact the security of a CakePHP application:
- Unconventional URL paths would allow direct access to prefixed actions without setting the correct request parameters. If your authorization depends on the presence of the
prefixrouting key you should upgrade as soon as possible. Validation::compare()andValidation::range()would allow specifically crafted data past certain criteria.
We'd like to thank 'Kurita Takashi' for contacting us through our security issue process about the CsrfComponent issue. We recommend that all users of CakePHP upgrade to one of these releases as soon as possible. CakePHP 3.x is unaffected by the prefix routing issue.