CVE-2025-24013

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-24013
CodeIgniter is a PHP full-stack web framework. Prior to 4.5.8, CodeIgniter lacked proper header validation for its name and value. The potential attacker can construct deliberately malformed headers with Header class. This could disrupt application functionality, potentially causing errors or generating invalid HTTP requests. In some cases, these malformed requests might lead to a DoS scenario if a remote service’s web application firewall interprets them as malicious and blocks further communication with the application. This vulnerability is fixed in 4.5.8.

5.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://datatracker.ietf.org/doc/html/rfc7230#section-3.2 Technical Description
https://github.com/advisories/GHSA-wxmh-65f7-jcvw Not Applicable
https://github.com/codeigniter4/CodeIgniter4/commit/5f8aa24280fb09947897d6b322bf1f0e038b13b6 Patch
https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-x5mq-jjr3-vmx6 Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:codeigniter:codeigniter:*:*:*:*:*:*:*:*
History

01 Aug 2025, 19:17

Type Values Removed Values Added
First Time Codeigniter
Codeigniter codeigniter
CPE cpe:2.3:a:codeigniter:codeigniter:*:*:*:*:*:*:*:*
References () https://datatracker.ietf.org/doc/html/rfc7230#section-3.2 - () https://datatracker.ietf.org/doc/html/rfc7230#section-3.2 - Technical Description
References () https://github.com/advisories/GHSA-wxmh-65f7-jcvw - () https://github.com/advisories/GHSA-wxmh-65f7-jcvw - Not Applicable
References () https://github.com/codeigniter4/CodeIgniter4/commit/5f8aa24280fb09947897d6b322bf1f0e038b13b6 - () https://github.com/codeigniter4/CodeIgniter4/commit/5f8aa24280fb09947897d6b322bf1f0e038b13b6 - Patch
References () https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-x5mq-jjr3-vmx6 - () https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-x5mq-jjr3-vmx6 - Vendor Advisory
Summary
  • (es) CodeIgniter es una web PHP full-stack framework. Antes de la versión 4.5.8, CodeIgniter carecía de una validación de encabezado adecuada para su nombre y valor. El atacante potencial puede construir encabezados malformados deliberadamente con la clase Header. Esto podría interrumpir la funcionalidad de la aplicación, lo que podría causar errores o generar solicitudes HTTP no válidas. En algunos casos, estas solicitudes malformadas pueden conducir a un escenario de denegación de servicio (DoS) si el firewall de la aplicación web de un servicio remoto las interpreta como maliciosas y bloquea la comunicación con la aplicación. Esta vulnerabilidad se solucionó en la versión 4.5.8.

20 Jan 2025, 16:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-01-20 16:15

Updated : 2025-08-01 19:17

NVD link : CVE-2025-24013

Mitre link : CVE-2025-24013

CVE.ORG link : CVE-2025-24013

JSON object : View

Products Affected

codeigniter

  • codeigniter
CWE
CWE-436

Interpretation Conflict