CVE-2022-36032

Name of the Vulnerable Software and Affected Versions ReactPHP HTTP versions 0.7.0 through 1.7.0

Description The issue arises when ReactPHP's HTTP server component processes incoming HTTP cookie values, url-decoding the cookie names. This can lead to confusion between cookies with prefixes like Host- and Secure- and those that decode to such prefixes, allowing an attacker to forge secure cookies.

Recommendations For ReactPHP HTTP versions 0.7.0 through 1.6.x, update to version 1.7.0 to resolve the issue. As a temporary workaround for versions 0.7.0 through 1.6.x, consider placing a reverse proxy in front of the ReactPHP HTTP server to filter out any unexpected Cookie request headers.