CVE-2022-31629

CVE-2022-31629: $_COOKIE names string replacement (. -> _): cookie integrity vulnerabilities

Vendor Php Group
Product PHP
Weakness CWE-20 · Input validation
Published September 28, 2022
Last update November 4, 2025

CVSS base score

What the vulnerability does

01Description

In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications.

Key dates

02Disclosure timeline

September 28, 2022 CVE published
November 4, 2025 Record updated