CVE-2022-36032 : ReactPHP HTTP is a streaming HTTP client and server implementation for ReactPHP.

ReactPHP HTTP is a streaming HTTP client and server implementation for ReactPHP. In ReactPHP's HTTP server component versions starting with 0.7.0 and prior to 1.7.0, when ReactPHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like `__Host-` and `__Secure-` confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. This issue is fixed in ReactPHP HTTP version 1.7.0. As a workaround, Infrastructure or DevOps can place a reverse proxy in front of the ReactPHP HTTP server to filter out any unexpected `Cookie` request headers.

Published 2022-09-06 19:15:08

Updated 2022-09-10 03:18:25

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Input validation

Products affected by CVE-2022-36032

Reactphp » Http
Versions from including (>=) 0.7.0 and before (<) 1.7.0
cpe:2.3:a:reactphp:http:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-36032

EPSS FAQ

0.16%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 33 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-36032

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	3.9	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: None
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	3.9	1.4	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: None

CWE ids for CVE-2022-36032

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: security-advisories@github.com (Primary)
CWE-565 Reliance on Cookies without Validation and Integrity Checking

The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2022-36032

https://github.com/reactphp/http/releases/tag/v1.7.0

Release v1.7.0 · reactphp/http · GitHub
Release Notes;Third Party Advisory
https://github.com/reactphp/http/pull/175

Add cookies to request object by legionth · Pull Request #175 · reactphp/http · GitHub
Issue Tracking;Patch;Third Party Advisory
https://github.com/reactphp/http/commit/663c9a3b77b71463fa7fcb76a6676ffd16979dd6

Do not decode cookie names anymore · reactphp/http@663c9a3 · GitHub
Patch;Third Party Advisory
https://github.com/reactphp/http/security/advisories/GHSA-w3w9-vrf5-8mx8

ReactPHP's HTTP server parses encoded cookie names so malicious `__Host-` and `__Secure-` cookies can be sent · Advisory · reactphp/http · GitHub
Issue Tracking;Patch;Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-36032

Products affected by CVE-2022-36032

Exploit prediction scoring system (EPSS) score for CVE-2022-36032

CVSS scores for CVE-2022-36032

CWE ids for CVE-2022-36032

References for CVE-2022-36032