CVE-2022-31629: 
PHP vulnerability analysis and mitigation

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, a vulnerability was discovered that enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications (CVE Database). The vulnerability was discovered on May 25, 2022, and patches were released in September 2022.

The vulnerability stems from PHP's handling of HTTP variable names and cookie processing. To ensure backward compatibility with register_globals, PHP replaces spaces, dots (.), and open square brackets ([) with underscores () in the keys of superglobal arrays including $COOKIE. As a result, a cookie sent by the browser as Cookie: ..Host-test=foo is treated by PHP as Cookie: __Host-test=foo. This behavior interferes with the special semantic of cookies with __Host- and __Secure- prefixes, which are designed to ensure high integrity of cookies and prevent manipulation by network attackers or malicious sibling domains (PHP Bug Report).

The vulnerability allows attackers to bypass security controls by setting standard insecure cookies that are then treated as secure __Host- or __Secure- prefixed cookies by PHP applications. This can lead to the addition or modification of data and potentially compromise the integrity of web applications that rely on these cookie prefixes for security mechanisms such as CSRF protection (Red Hat CVE).

The vulnerability has been fixed in PHP versions 7.4.31, 8.0.24, and 8.1.11. Users are strongly encouraged to upgrade to these or later versions. The fix involves changes to how PHP handles cookie names that would result in __Host- or __Secure- prefixes after name mangling (Fedora Update).