CVE-2022-36032 Information
Description
ReactPHP HTTP is a streaming HTTP client and server implementation for ReactPHP. In ReactPHP’s HTTP server component versions starting with 0.7.0 and prior to 1.7.0 when ReactPHP is processing incoming HTTP cookie values the cookie names are url-decoded. This may lead to cookies with prefixes like __Host- and __Secure- confused with cookies that decode to such prefix thus leading to an attacker being able to forge cookie which is supposed to be secure. This issue is fixed in ReactPHP HTTP version 1.7.0. As a workaround Infrastructure or DevOps can place a reverse proxy in front of the ReactPHP HTTP server to filter out any unexpected Cookie request headers.
Reference
https://github.com/reactphp/http/pull/175
https://github.com/reactphp/http/security/advisories/GHSA-w3w9-vrf5-8mx8
https://github.com/reactphp/http/releases/tag/v1.7.0
https://github.com/reactphp/http/commit/663c9a3b77b71463fa7fcb76a6676ffd16979dd6
ReactPHP
HTTP
is
a
streaming
HTTP
client
and
server
implementation
for
ReactPHP.
In
ReactPHP’s
HTTP
server
component
versions
starting
with
0.7.0
and
prior
to
1.7.0
when
ReactPHP
is
processing
incoming
HTTP
cookie
values
the
cookie
names
are
url-decoded.
This
may
lead
to
cookies
with
prefixes
like
__Host-
and
__Secure-
confused
with
cookies
that
decode
to
such
prefix
thus
leading
to
an
attacker
being
able
to
forge
cookie
which
is
supposed
to
be
secure.
This
issue
is
fixed
in
ReactPHP
HTTP
version
1.7.0.
As
a
workaround
Infrastructure
or
DevOps
can
place
a
reverse
proxy
in
front
of
the
ReactPHP
HTTP
server
to
filter
out
any
unexpected
Cookie
request
headers.