CVE-2022-24711
📋 TL;DR
CVE-2022-24711 is an improper input validation vulnerability in CodeIgniter4 that allows attackers to execute CLI (Command Line Interface) routes via HTTP requests. This affects all CodeIgniter4 installations prior to version 4.1.9, potentially enabling remote code execution on vulnerable web servers.
💻 Affected Systems
- CodeIgniter4
📦 What is this software?
Codeigniter by Codeigniter
⚠️ Risk & Real-World Impact
Worst Case
Remote unauthenticated attacker gains full server control through arbitrary command execution, potentially leading to data theft, system compromise, or ransomware deployment.
Likely Case
Attackers execute arbitrary commands on the web server, compromising the application and potentially accessing sensitive data or pivoting to internal systems.
If Mitigated
With proper network segmentation and least privilege, impact is limited to the web application layer, though data exposure and application compromise still occur.
🎯 Exploit Status
The vulnerability is straightforward to exploit via crafted HTTP requests. Public proof-of-concept code is available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.1.9
Vendor Advisory: https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-xjp4-6w75-qrj7
Restart Required: No
Instructions:
1. Update CodeIgniter4 to version 4.1.9 or later using Composer: composer require codeigniter4/framework:^4.1.9
2. Replace the entire framework directory with the patched version
3. Clear any cached routes or configuration files
4. Test application functionality after update
🔧 Temporary Workarounds
Block CLI Route Access via Web Server
allConfigure web server to block requests to CLI routes
# For Apache: Add to .htaccess
RewriteRule ^cli/ - [F,L]
# For Nginx: Add to server block
location ~ ^/cli/ { return 403; }
🧯 If You Can't Patch
- Implement strict WAF rules to block requests containing CLI route patterns
- Isolate vulnerable servers in network segments with strict egress filtering
🔍 How to Verify
Check if Vulnerable:
Check CodeIgniter4 version in composer.json or framework files. If version is below 4.1.9, the system is vulnerable.Check Version:
grep -r "version" vendor/codeigniter4/system/CodeIgniter.php | grep -o '[0-9]\+\.[0-9]\+\.[0-9]\+'Verify Fix Applied:
Verify version is 4.1.9 or higher and test that CLI routes cannot be accessed via HTTP requests.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /cli/* routes
- Unusual command execution in web server logs
- 404 errors for CLI route attempts after patching
Network Indicators:
- HTTP POST/GET requests to CLI endpoints
- Unusual outbound connections from web server
SIEM Query:
source="web_logs" AND (uri="/cli/*" OR user_agent="*CodeIgniter*" AND status=200)🔗 References
- https://github.com/codeigniter4/CodeIgniter4/commit/202f41ad522ba1d414b9d9c35aba1cb0c156b781
- https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-xjp4-6w75-qrj7
- https://github.com/codeigniter4/CodeIgniter4/commit/202f41ad522ba1d414b9d9c35aba1cb0c156b781
- https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-xjp4-6w75-qrj7
