7.2.34
7.3.23
7.4.11
CVE-2020-7070 is a vulnerability in PHP affecting versions 7.2.x below 7.2.34, 7.3.x below 7.3.23, and 7.4.x below 7.4.11. This vulnerability arises from improper handling of HTTP cookie names during URL decoding, enabling attackers to potentially forge secure cookies. The vulnerability was published on October 2, 2020, and a fix is available in PHP 7.4.11.
An attacker can exploit CVE-2020-7070 to forge secure cookies by manipulating the URL decoding process of HTTP cookie names. Specifically, they can craft cookie names that, after decoding, resemble reserved prefixes like '__Host', which are typically used for cookies intended to be accessible across subdomains. This allows an attacker to inject malicious cookies that appear legitimate, potentially leading to session hijacking and unauthorized access to sensitive data. The impact is particularly severe for applications relying on secure cookies for authentication and authorization, as an attacker could impersonate legitimate users.
CVE-2020-7070 is related to CVE-2020-8184, which addresses a similar cookie handling issue. While no public exploits have been widely reported, the potential for session hijacking makes this a concerning vulnerability. The vulnerability was disclosed publicly on October 2, 2020. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
26.09% (96% percentile)
CVSS Vector
The primary mitigation for CVE-2020-7070 is to upgrade to a patched version of PHP. Upgrade to PHP 7.4.11 or later to resolve this vulnerability. If upgrading is not immediately feasible, consider implementing stricter cookie validation on the application side to prevent the acceptance of cookies with unexpected prefixes. Web application firewalls (WAFs) can also be configured to filter out requests containing suspicious cookie names. After upgrading, verify the fix by attempting to set a cookie with a manipulated name and confirming that it is rejected.
Update to PHP version 7.2.34, 7.3.23 or 7.4.11, or a later version, to fix the vulnerability. This will prevent cookie names from being decoded insecurely, preventing cookie forgery.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-7070 is a vulnerability in PHP versions 7.2.x, 7.3.x, and 7.4.x where improper URL decoding of HTTP cookies allows attackers to forge secure cookies, potentially hijacking user sessions.
You are affected if you are using PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23, or 7.4.x below 7.4.11. Upgrade to a patched version to mitigate the risk.
Upgrade to PHP 7.4.11 or later. If immediate upgrade is not possible, implement stricter cookie validation on the application side and consider using a WAF.
While no widespread exploitation has been publicly reported, the potential for session hijacking makes this a concerning vulnerability. Continuous monitoring is recommended.
Refer to the official PHP security advisory at https://security.php.net/advisory/7.2.34
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.