Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-ntph-mnds-9ffc
Vulnerability ID VCID-ntph-mnds-9ffc
Aliases CVE-2022-39284
GHSA-745p-r637-7vvp
Summary CodeIgniter is a PHP full-stack web framework. In versions prior to 4.2.7 setting `$secure` or `$httponly` value to `true` in `Config\Cookie` is not reflected in `set_cookie()` or `Response::setCookie()`. As a result cookie values are erroneously exposed to scripts. It should be noted that this vulnerability does not affect session cookies. Users are advised to upgrade to v4.2.7 or later. Users unable to upgrade are advised to manually construct their cookies either by setting the options in code or by constructing Cookie objects. Examples of each workaround are available in the linked GHSA.
Status Published
Exploitability 0.5
Weighted Severity 2.7
Risk 1.4
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-665 Improper Initialization
CWE-732 Incorrect Permission Assignment for Critical Resource
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00492 https://api.first.org/data/v1/epss?cve=CVE-2022-39284
epss 0.00492 https://api.first.org/data/v1/epss?cve=CVE-2022-39284
cvssv3.1 2.6 https://codeigniter4.github.io/userguide/helpers/cookie_helper.html#set_cookie
generic_textual LOW https://codeigniter4.github.io/userguide/helpers/cookie_helper.html#set_cookie
ssvc Track https://codeigniter4.github.io/userguide/helpers/cookie_helper.html#set_cookie
cvssv3.1 2.6 https://codeigniter4.github.io/userguide/outgoing/response.html#CodeIgniter%5CHTTP%5CResponse::setCookie
generic_textual LOW https://codeigniter4.github.io/userguide/outgoing/response.html#CodeIgniter%5CHTTP%5CResponse::setCookie
ssvc Track https://codeigniter4.github.io/userguide/outgoing/response.html#CodeIgniter%5CHTTP%5CResponse::setCookie
cvssv3.1 2.6 https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies
generic_textual LOW https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies
ssvc Track https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies
cvssv3.1_qr LOW https://github.com/advisories/GHSA-745p-r637-7vvp
cvssv3.1 2.6 https://github.com/codeigniter4/CodeIgniter4
generic_textual LOW https://github.com/codeigniter4/CodeIgniter4
cvssv3.1 2.6 https://github.com/codeigniter4/CodeIgniter4/issues/6540
generic_textual LOW https://github.com/codeigniter4/CodeIgniter4/issues/6540
ssvc Track https://github.com/codeigniter4/CodeIgniter4/issues/6540
cvssv3.1 2.6 https://github.com/codeigniter4/CodeIgniter4/pull/6544
generic_textual LOW https://github.com/codeigniter4/CodeIgniter4/pull/6544
ssvc Track https://github.com/codeigniter4/CodeIgniter4/pull/6544
cvssv3.1 2.6 https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-745p-r637-7vvp
cvssv3.1_qr LOW https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-745p-r637-7vvp
generic_textual LOW https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-745p-r637-7vvp
ssvc Track https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-745p-r637-7vvp
cvssv3.1 2.6 https://github.com/FriendsOfPHP/security-advisories/blob/master/codeigniter4/framework/CVE-2022-39284.yaml
generic_textual LOW https://github.com/FriendsOfPHP/security-advisories/blob/master/codeigniter4/framework/CVE-2022-39284.yaml
cvssv3.1 2.6 https://nvd.nist.gov/vuln/detail/CVE-2022-39284
generic_textual LOW https://nvd.nist.gov/vuln/detail/CVE-2022-39284
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2022-39284
https://github.com/codeigniter4/CodeIgniter4
6540 https://github.com/codeigniter4/CodeIgniter4/issues/6540
6544 https://github.com/codeigniter4/CodeIgniter4/pull/6544
cookie_helper.html#set_cookie https://codeigniter4.github.io/userguide/helpers/cookie_helper.html#set_cookie
Cookies#restrict_access_to_cookies https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies
CVE-2022-39284 https://nvd.nist.gov/vuln/detail/CVE-2022-39284
CVE-2022-39284.YAML https://github.com/FriendsOfPHP/security-advisories/blob/master/codeigniter4/framework/CVE-2022-39284.yaml
GHSA-745p-r637-7vvp https://github.com/advisories/GHSA-745p-r637-7vvp
GHSA-745p-r637-7vvp https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-745p-r637-7vvp
response.html#CodeIgniter%5CHTTP%5CResponse::setCookie https://codeigniter4.github.io/userguide/outgoing/response.html#CodeIgniter%5CHTTP%5CResponse::setCookie
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N Found at https://codeigniter4.github.io/userguide/helpers/cookie_helper.html#set_cookie
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:43:55Z/ Found at https://codeigniter4.github.io/userguide/helpers/cookie_helper.html#set_cookie
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N Found at https://codeigniter4.github.io/userguide/outgoing/response.html#CodeIgniter%5CHTTP%5CResponse::setCookie
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:43:55Z/ Found at https://codeigniter4.github.io/userguide/outgoing/response.html#CodeIgniter%5CHTTP%5CResponse::setCookie
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N Found at https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:43:55Z/ Found at https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/codeigniter4/CodeIgniter4
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/codeigniter4/CodeIgniter4/issues/6540
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:43:55Z/ Found at https://github.com/codeigniter4/CodeIgniter4/issues/6540
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/codeigniter4/CodeIgniter4/pull/6544
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:43:55Z/ Found at https://github.com/codeigniter4/CodeIgniter4/pull/6544
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-745p-r637-7vvp
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:43:55Z/ Found at https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-745p-r637-7vvp
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/codeigniter4/framework/CVE-2022-39284.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-39284
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.66096
EPSS Score 0.00492
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T17:38:44.995064+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2022/39xxx/CVE-2022-39284.json 38.6.0