CVE-2022-25355: EC-CUBE improperly handles HTTP Host header values
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.76617%
CWE
Published
2/25/2022
Updated
4/25/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
ec-cube/ec-cube | composer | >= 3.0.0, <= 3.0.18-p3 | |
ec-cube/ec-cube | composer | >= 4.0.0, <= 4.1.1 | 4.1.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing Host header validation. The patch for EC-CUBE 3.x explicitly adds Symfony's setTrustedHosts()
call in index.php
and index_dev.php
to enforce host whitelisting. Vulnerable versions omitted this validation, allowing attackers to forge URLs via malicious Host headers. The absence of these function calls directly correlates with the improper Host header handling described in CVE-2022-25355.