CVE-2026-9679 undici vulnerable to HTTP header injection via Set-Cookie percent-decoding

Impact: undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either. Applications that parse a...

CLSA-2024-1727115733 ruby: Fix of CVE-2021-41819

CVE-2021-41819: when parsing cookies, only decode the values...

SUSE CVE-2020-7070

In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like Host confused with cookies that decode to such prefix, thus leading to an attacker being...

ReactPHP HTTP 安全漏洞

ReactPHP HTTP is a ReactPHP open source event-driven, streaming HTTP client and server implementation of ReactPHP. A security vulnerability exists in ReactPHP HTTP versions prior to 0.7.0 through 1.7.0 that stems from the fact that when ReactPHP processes incoming HTTP cookie values, the cookie...

CLSA-2022-1643747494 Fix of CVE: CVE-2020-7071, CVE-2020-7068, CVE-2020-7069, CVE-2020-7070, CVE-2021-21702

CVE-2020-7068: php: Use of freed hash key in the pharparsezipfile function - CVE-2020-7069: php: Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV - CVE-2020-7070: php: URL decoding of cookie names can lead to different interpretation of cookies between browser and server -...

php: URL decoding of cookie names can lead to different interpretation of cookies between browser and server

In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like Host confused with cookies that decode to such prefix, thus leading to an attacker being...

dotnet: ASP.NET cookie prefix spoofing vulnerability

A flaw was found in ASP.NET. Certain cookie values are not properly decoded allowing a remote attacker to bypass the "Cookie Prefixes" security mechanism. The highest threat from this vulnerability is to data integrity...

Rabid - A CLI Tool And Library Allowing To Simply Decode All Kind Of BigIP Cookies

RA pid B ig I P D ecoder What it is A CLI tool and library allowing to simply decode all kind of BigIP cookies. Features Support all 4 cookie formats CLI tool & library Hackable References Homepage / Documentation: https://orange-cyberdefense.github.io/rabid/ Author Made by Alexandre ZANNI @noraj...