CVE-2024-2756 Overview
CVE-2024-2756 is an improper input validation vulnerability in PHP that stems from an incomplete fix to CVE-2022-31629. This vulnerability allows network and same-site attackers to set a standard insecure cookie in the victim's browser, which PHP applications incorrectly treat as a __Host- or __Secure- prefixed cookie. These cookie prefixes are designed to provide additional security guarantees, and bypassing them can undermine the security posture of web applications relying on these protections.
Critical Impact
Attackers can bypass cookie security mechanisms, potentially leading to session manipulation, authentication bypass, or other integrity-related attacks in PHP web applications.
Affected Products
- PHP (multiple versions)
- Debian Linux (affected via PHP packages)
- Fedora Linux (affected via PHP packages)
Discovery Timeline
- April 12, 2024 - Vulnerability disclosed via Openwall OSS Security mailing list
- April 29, 2024 - CVE-2024-2756 published to NVD
- November 4, 2025 - Last updated in NVD database
Technical Details for CVE-2024-2756
Vulnerability Analysis
This vulnerability represents an incomplete remediation of a prior security issue (CVE-2022-31629). The original vulnerability involved improper handling of cookie prefixes, and while a fix was implemented, it did not fully address all attack vectors. The __Host- and __Secure- cookie prefixes are security features defined in RFC 6265bis that provide additional protections: __Host- cookies must be set with the Secure attribute, without a Domain attribute, and with Path=/, while __Secure- cookies must be set with the Secure attribute. When PHP incorrectly accepts standard cookies as prefixed cookies, attackers can inject cookies that the application trusts as having elevated security properties.
The vulnerability is exploitable over the network and requires user interaction, such as visiting a malicious page or being on the same network as the attacker. Successful exploitation impacts the integrity of cookie-based security mechanisms without directly affecting confidentiality or availability.
Root Cause
The root cause is an improper input validation flaw (CWE-20) in PHP's cookie handling logic. The original fix for CVE-2022-31629 did not comprehensively validate all scenarios where an attacker could craft a cookie that bypasses the prefix security checks. This allows standard insecure cookies to be interpreted as security-prefixed cookies by PHP applications, undermining the intended security guarantees of these cookie mechanisms.
Attack Vector
The attack can be conducted by network-positioned attackers or same-site attackers who can inject cookies into a victim's browser. The attacker crafts a cookie without the required security attributes but with a name that PHP applications incorrectly recognize as having __Host- or __Secure- prefix protections.
The exploitation mechanism involves:
- An attacker positioned on the same network or same site as the victim
- The attacker injects a standard cookie (without Secure flag or other required attributes) into the victim's browser
- The victim's browser sends this cookie to a PHP application
- Due to incomplete validation, PHP treats this insecure cookie as a trusted __Host- or __Secure- prefixed cookie
- The application makes security decisions based on this falsely-trusted cookie
For detailed technical analysis, see the GitHub Security Advisory.
Detection Methods for CVE-2024-2756
Indicators of Compromise
- Unexpected or malformed cookies appearing in application logs with __Host- or __Secure- prefixes
- Cookie values that were set without HTTPS but are being processed as secure cookies
- Anomalous session behavior or authentication inconsistencies in PHP applications
Detection Strategies
- Monitor web application firewall (WAF) logs for suspicious cookie injection attempts
- Implement server-side logging to track cookie prefix validation events
- Review PHP application logs for unexpected cookie handling patterns
- Deploy network monitoring to detect same-site attack patterns targeting cookie injection
Monitoring Recommendations
- Enable detailed PHP error logging to capture cookie handling anomalies
- Implement application-level monitoring for session integrity violations
- Configure intrusion detection systems (IDS) to alert on cookie manipulation attempts
- Review access logs for requests from suspicious network positions that may indicate same-site attacks
How to Mitigate CVE-2024-2756
Immediate Actions Required
- Update PHP to the latest patched version that addresses CVE-2024-2756
- Review and update Debian, Fedora, or other Linux distributions to include patched PHP packages
- Audit PHP applications for reliance on __Host- and __Secure- cookie prefixes for security decisions
- Implement additional application-level validation of cookie security attributes
Patch Information
Security patches are available from multiple sources. Consult the following advisories for specific patch versions and installation instructions:
- GitHub Security Advisory (GHSA-wpj3-hf5j-x4v4)
- Debian LTS Announcement
- NetApp Security Advisory
- Fedora Package Announcements
Workarounds
- Implement additional application-level validation of cookie attributes before trusting prefixed cookies
- Use secure, HTTPS-only connections for all cookie transmission to reduce network attack surface
- Consider implementing Content Security Policy (CSP) headers to mitigate certain cookie injection scenarios
- Deploy network segmentation to reduce same-site attack opportunities
# Configuration example for enforcing HTTPS and secure cookies in Apache
# Add to your Apache configuration or .htaccess file
# Force HTTPS redirect
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
# Set secure cookie flags via headers
Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
