CVE-2022-31629

CVE-2022-31629 php: standard insecure cookie could be treated as a `__Host-` or `__Secure-` cookie by PHP applications

Publication Date	2022-09-29
Severity	Critical
Type	Cross-Site Request Forgery
Affected PHP Versions	5.6.0 - 5.6.40 7.1.0 - 7.1.33 7.2.0 - 7.2.34 7.3.0 - 7.3.33 7.4.0 - 7.4.30 8.0.0 - 8.0.23 8.1.0 - 8.1.10
Fixed Product Versions	ZendPHP 5.6 ZendPHP 7.1 ZendPHP 7.2 ZendPHP 7.3 ZendPHP 7.4 ZendPHP 8.0 ZendPHP 8.1 ZendServer 8.5.20 ZendServer 9.1.15 ZendServer 2019.1.2 ZendServer 2021.3.0

CVE Details

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications.

Recommendations

If you use same-site cookies, and are on PHP versions prior to 7.4.31, 8.0 versions prior to 8.0.24, or 8.1 versions prior to 8.1.11, you should update to a patched or newer version of PHP.

< View all CVEs

Featured Product

ZendPHP

2025 PHP Landscape Report

CVE Details

Recommendations