CVE-2024-29904 – A denial-of-service vulnerability in CodeIgnite... (How to Fix)

📋 TL;DR

A denial-of-service vulnerability in CodeIgniter's Language class allows attackers to trigger excessive memory consumption on servers. This affects all CodeIgniter4 applications using the vulnerable Language class functionality. Attackers can exploit this to crash or degrade server performance.

💻 Affected Systems

Products:

CodeIgniter4

Versions: All versions before 4.4.7

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Affects any CodeIgniter4 application using the Language class functionality. No special configuration required.

📦 What is this software?

Codeigniter by Codeigniter

View all CVEs affecting Codeigniter →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Server becomes unresponsive due to memory exhaustion, causing complete service outage and requiring server restart.

🟠

Likely Case

Degraded application performance, increased memory usage, and potential service disruption for legitimate users.

🟢

If Mitigated

Minimal impact with proper memory limits and monitoring in place, but still vulnerable to targeted attacks.

🌐 Internet-Facing: HIGH - Publicly accessible applications can be directly targeted by unauthenticated attackers.

🏢 Internal Only: MEDIUM - Requires internal network access but still exploitable by authenticated users or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is in core framework functionality and requires minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.4.7 or later

Vendor Advisory: https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-39fp-mqmm-gxj6

Restart Required: No

Instructions:

1. Update CodeIgniter4 to version 4.4.7 or later via Composer: composer require codeigniter4/framework:^4.4.7
2. Verify the update completed successfully
3. Test application functionality

🔧 Temporary Workarounds

Implement PHP memory limits

all

Set strict memory limits in PHP configuration to prevent complete server exhaustion

php.ini: memory_limit = 128M

Rate limiting

all

Implement request rate limiting to prevent repeated exploitation attempts

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to detect and block suspicious Language class usage patterns
Increase server monitoring for abnormal memory consumption and implement automatic alerting

🔍 How to Verify

Check if Vulnerable:

Check CodeIgniter version in composer.json or via phpinfo() if framework version is exposed

Check Version:

composer show codeigniter4/framework | grep versions

Verify Fix Applied:

Verify CodeIgniter version is 4.4.7 or higher: composer show codeigniter4/framework

📡 Detection & Monitoring

Log Indicators:

Unusually high memory usage spikes
Multiple rapid requests to language-related endpoints
PHP memory limit errors in logs

Network Indicators:

High volume of requests to language/translation endpoints
Abnormal request patterns targeting Language class functionality

SIEM Query:

source="php_error.log" AND ("Allowed memory size" OR "memory_limit") AND process="php-fpm"

📊 Metadata

CVE ID: CVE-2024-29904

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-835

Published: March 29, 2024

Last Updated: May 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-29904, you might also want to check these: