CVE-2025-24013 – CodeIgniter versions before 4.5.8 lack proper v... (How to Fix)

📋 TL;DR

CodeIgniter versions before 4.5.8 lack proper validation for HTTP header names and values, allowing attackers to craft malformed headers. This can disrupt application functionality, cause errors, or generate invalid HTTP requests. All CodeIgniter applications using affected versions are vulnerable.

💻 Affected Systems

Products:

CodeIgniter

Versions: All versions prior to 4.5.8

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using CodeIgniter's Header class functionality.

📦 What is this software?

Codeigniter by Codeigniter

View all CVEs affecting Codeigniter →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Denial of Service if downstream web application firewalls interpret malformed requests as malicious and block legitimate traffic to the application.

🟠

Likely Case

Application errors, disrupted functionality, or invalid HTTP requests being sent to external services.

🟢

If Mitigated

Minimal impact with proper input validation and WAF configuration.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires ability to send HTTP requests to vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.5.8

Vendor Advisory: https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-x5mq-jjr3-vmx6

Restart Required: Yes

Instructions:

1. Update CodeIgniter to version 4.5.8 or later using composer: composer require codeigniter4/framework:^4.5.8
2. Restart your web server (Apache/Nginx) and PHP-FPM if applicable.

🔧 Temporary Workarounds

Input Validation Wrapper

all

Implement custom validation for header names and values before passing to CodeIgniter's Header class

🧯 If You Can't Patch

Implement a web application firewall (WAF) to filter malformed HTTP headers
Monitor application logs for unusual header patterns and block offending IPs

🔍 How to Verify

Check if Vulnerable:

Check composer.json or CodeIgniter version constant for version below 4.5.8

Check Version:

php -r "echo 'CodeIgniter ' . CodeIgniter\CodeIgniter::CI_VERSION;"

Verify Fix Applied:

Confirm version is 4.5.8 or higher and test header validation functionality

📡 Detection & Monitoring

Log Indicators:

Unusual or malformed HTTP headers in access/error logs
Application errors related to header processing

Network Indicators:

HTTP requests with non-RFC compliant header formats

SIEM Query:

source="web_logs" AND (header_name="*[invalid chars]*" OR header_value="*[invalid chars]*")

📊 Metadata

CVE ID: CVE-2025-24013

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-436

EPSS Score: 0.2% exploit probability (41.4th percentile)

Published: January 20, 2025

Last Updated: August 1, 2025

🔗 References

https://datatracker.ietf.org/doc/html/rfc7230#section-3.2 Technical Description
https://github.com/advisories/GHSA-wxmh-65f7-jcvw Not Applicable
https://github.com/codeigniter4/CodeIgniter4/commit/5f8aa24280fb09947897d6b322bf1f0e038b13b6 Patch
https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-x5mq-jjr3-vmx6 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-24013, you might also want to check these: