CodeIgniter is a popular PHP web framework, trusted by developers worldwide for building fast and secure web applications. But even big projects have their vulnerabilities. In early 2022, a dangerous flaw, catalogued as CVE-2022-24711, was discovered in the 4.x branch (before version 4.1.9). This exclusive long read will break down how the bug works, why it's dangerous, how to exploit it, and how to stay safe.
What is CVE-2022-24711?
CVE-2022-24711 is classified as an improper input validation vulnerability. In plain English, it means that CodeIgniter4 allowed attackers to execute commands meant for the Command Line Interface (CLI) just by making a regular HTTP request.
Here’s the official advisory
- Github Security Advisory GHSA-3wpc-34r9-495g
- NVD entry for CVE-2022-24711
Affected versions:
All CodeIgniter4 versions before 4.1.9.
Why is This a Problem?
Let’s say you made a CLI route—a command that's supposed to run only by administrators via the terminal. Normally, web users should never run these routes from a browser.
But due to a bug, attackers could run these CLI-only commands just with a crafted HTTP request. In the wrong hands, this could mean data theft, manipulation, or server-side mischief.
How The Vulnerability Works
Background:
CodeIgniter routes come in different types. Generally, HTTP routes (for browsers) and CLI routes should be separate and isolated from each other.
The Issue:
There was a logic gap in how CodeIgniter4 separated HTTP and CLI routes. A hacker could send an HTTP request that mimicked a CLI request, and CodeIgniter would process it as a CLI route.
Developer creates an admin-only CLI route: php spark user:reset admin
- Attacker crafts an HTTP GET request to /user:reset/admin
Let’s imagine a simplified CodeIgniter route for resetting a user's password via CLI
// in app/Commands/ResetUser.php
namespace App\Commands;
use CodeIgniter\CLI\BaseCommand;
use CodeIgniter\CLI\CLI;
class ResetUser extends BaseCommand
{
protected $group = 'Custom';
protected $name = 'user:reset';
protected $description = 'Resets a user password';
public function run(array $params)
{
$username = $params[] ?? null;
if (!$username) {
CLI::write('No username provided');
return;
}
// Logic to reset password here!
CLI::write("Password for {$username} reset.");
}
}
> Intended Usage:
> On the terminal:
> php spark user:reset admin
With the vulnerability, an attacker just goes to
http://target-site.com/user:reset/admin
The web server sees this as a call to the CLI route, and runs the code above, without any CLI checks!
The Patch (How Version 4.1.9 Fixes It)
From CodeIgniter4 v4.1.9 onwards, the framework separates CLI and HTTP routes with proper checks. Now, CLI routes can't be triggered via HTTP requests.
Core Fix: Past versions had this logic
if (ENVIRONMENT !== 'production' && ($_SERVER['REQUEST_METHOD'] === 'GET')) {
// Allowed through
}
New versions require that CLI-only routes can *only* be run via the CLI, by checking the interface
if (php_sapi_name() !== 'cli') {
// Deny execution for HTTP requests
die('Forbidden');
}
You can find the full fix here:
- Patch Pull Request #5977
Are There Workarounds?
No.
There are no known workarounds. The only real solution is to upgrade CodeIgniter4 to 4.1.9 or later.
How Can You Stay Safe?
1. Upgrade Immediately:
Update your application to CodeIgniter4 v4.1.9+.
2. Audit Your CLI Routes:
Double-check your codebase for sensitive CLI commands and ensure they are not exposed.
3. Prevent Untrusted Access:
Use firewall rules, .htaccess, or web server configuration to block direct access to any sensitive endpoints.
Conclusion
CVE-2022-24711 reminds us that web frameworks—no matter how mature—can still have severe flaws. Always keep dependencies up to date and audit your application’s routes and access patterns. If you build with CodeIgniter4, make upgrading a daily habit!
References
- Original Security Advisory
- Mitre/NVD Listing
- Details and Patch Pull Request
Timeline
Published on: 02/28/2022 16:15:00 UTC
Last modified on: 03/08/2022 18:03:00 UTC