ReactPHP
CVE-2022-36032 fixed in reactphp/http v1.7.0: ReactPHP's HTTP server parses encoded cookie names #465
clue
announced in
Announcements
CVE-2022-36032 fixed in reactphp/http v1.7.0: ReactPHP's HTTP server parses encoded cookie names
#465
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Two weeks ago, we've released reactphp/http
v1.7.0. This is a SECURITY and feature release for the 1.x series of ReactPHP's HTTP component.Today, we're publishing CVE-2022-36032 which has been fixed as part of this release: ReactPHP's HTTP server parses encoded cookie names so malicious
__Host-and__Secure-cookies can be sent. This is a medium severity security issue in ReactPHP's HTTP server component that affects all versions betweenv0.7.0andv1.6.0. All users are encouraged to upgrade immediately. For more details, see CVE-2022-36032.Special thanks to Marco Squarcina (TU Wien) for reporting this and working with us to coordinate this release.
If you have any questions or comments about this advisory, please comment below.
Beta Was this translation helpful? Give feedback.
All reactions