Secure or HttpOnly flag set in Config\Cookie is not reflected in Cookies issued in Codeigniter4
Description
CodeIgniter is a PHP full-stack web framework. In versions prior to 4.2.7 setting $secure or $httponly value to true in Config\Cookie is not reflected in set_cookie() or Response::setCookie(). As a result cookie values are erroneously exposed to scripts. It should be noted that this vulnerability does not affect session cookies. Users are advised to upgrade to v4.2.7 or later. Users unable to upgrade are advised to manually construct their cookies either by setting the options in code or by constructing Cookie objects. Examples of each workaround are available in the linked GHSA.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In CodeIgniter 4 prior to 4.2.7, the `$secure` and `$httponly` cookie configuration options are ignored, exposing cookies to scripts.
Vulnerability
Description
In CodeIgniter 4 versions before 4.2.7, setting $secure or $httponly to true in Config\Cookie does not take effect when using set_cookie() or Response::setCookie() [3]. As a result, cookies intended to be transmitted only over HTTPS (Secure flag) or restricted from JavaScript access (HttpOnly flag) are erroneously exposed to scripts running in the browser. This occurs because the helper function and response method fail to propagate these configuration values, defaulting to insecure behavior [4].
Exploitation and
Attack Surface
An attacker who can inject or execute arbitrary JavaScript on an affected site (e.g., via a cross-site scripting vulnerability) can read these unprotected cookies. No special network position is required beyond that needed for an XSS attack, and the vulnerability is triggered simply by the application using the default cookie-setting functions without manually specifying the secure/httponly flags [1][3]. Since session cookies are not affected, the primary risk is to non-session cookies carrying sensitive data (e.g., authentication tokens, personalization preferences) [3].
Impact
By bypassing the Secure and HttpOnly attributes, an attacker can steal cookie values that were intended to be protected from disclosure. This could lead to account takeover if the cookie contains an authentication token, or leakage of other sensitive information stored in cookies [1].
Mitigation
The vulnerability is fixed in CodeIgniter 4.2.7 [3]. Upgrading to this version ensures that the $secure and $httponly configuration values are properly applied. For users unable to upgrade, workarounds involve manually constructing cookies by passing the secure/httponly options directly to set_cookie() or building Cookie objects with the desired flags [3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
codeigniter4/frameworkPackagist | < 4.2.7 | 4.2.7 |
Affected products
3- osv-coords2 versions
>= 4.0.0, < 4.2.7+ 1 more
- (no CPE)range: >= 4.0.0, < 4.2.7
- (no CPE)range: < 4.2.7
- codeigniter4/CodeIgniter4v5Range: < 4.2.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-745p-r637-7vvpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-39284ghsaADVISORY
- codeigniter4.github.io/userguide/helpers/cookie_helper.htmlghsaWEB
- codeigniter4.github.io/userguide/outgoing/response.htmlghsaWEB
- developer.mozilla.org/en-US/docs/Web/HTTP/CookiesghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/codeigniter4/framework/CVE-2022-39284.yamlghsaWEB
- github.com/codeigniter4/CodeIgniter4/issues/6540ghsaWEB
- github.com/codeigniter4/CodeIgniter4/pull/6544ghsaWEB
- github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-745p-r637-7vvpghsaWEB
News mentions
0No linked articles in our index yet.