Incorrect parsing of nameless cookies leads to __Host- cookies bypass
Description
Published by the National Vulnerability Database
Feb 14, 2023
Published to the GitHub Advisory Database
Feb 15, 2023
Reviewed
Feb 15, 2023
Last updated
Nov 19, 2024
Browsers may allow "nameless" cookies that look like
=value
instead ofkey=value
. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like=__Host-test=bad
for another subdomain.Werkzeug <= 2.2.2 will parse the cookie
=__Host-test=bad
as__Host-test=bad
. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key.References