The CakePHP core team is happy to announce the immediate availability of CakePHP 4.0.10. This release contains security fixes and is a recommended upgrade for all applications still using 4.0.x.
The security fixes address a vulnerability in the CsrfProtectionMiddleware that allowed method override parameters to bypass CSRF checks for requests with no additional POST data. The fixes validate that the HTTP method override is a valid HTTP method name. We'd like to thank Xhelal Likaj for reporting this issue to us via our security mailing list.
The versions impacted by this issue are >4.0.0, <=4.0.9 and >4.1.0, <=4.1.3. Releases after 4.1.3 are not vulnerable as they already validated the HTTP method names.
Bugfixes
You can expect the following changes in 4.0.10. See the changelog for every commit.
- Fixed validation of HTTP methods defined in
_methodparameters.
Contributors to 4.0.10
Thank you to all the contributors that helped make this release happen:
- Mark Story
- Xhelal Likaj
As always, we would like to thank all the contributors that opened issues, created pull requests or updated the documentation.