CVE-2025-24013
MEDIUMCodeIgniter < 4.5.8 - Denial of Service via Malformed HTTP Header Injection
Title source: llmDescription
CodeIgniter is a PHP full-stack web framework. Prior to 4.5.8, CodeIgniter lacked proper header validation for its name and value. The potential attacker can construct deliberately malformed headers with Header class. This could disrupt application functionality, potentially causing errors or generating invalid HTTP requests. In some cases, these malformed requests might lead to a DoS scenario if a remote service’s web application firewall interprets them as malicious and blocks further communication with the application. This vulnerability is fixed in 4.5.8.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-x5mq-jjr3-vmx6
Patch x_refsource_misc
https://github.com/codeigniter4/CodeIgniter4/commit/5f8aa24280fb09947897d6b322bf1f0e038b13b6
Technical Description x_refsource_misc
https://datatracker.ietf.org/doc/html/rfc7230#section-3.2
Not Applicable x_refsource_misc
https://github.com/advisories/GHSA-wxmh-65f7-jcvw
Scores
CVSS v3
5.3
EPSS
0.0046
EPSS Percentile
36.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-436
Status
published
Products (2)
codeigniter/codeigniter
< 4.5.8
codeigniter4/framework
0 - 4.5.8Packagist
Published
Jan 20, 2025
Tracked Since
Feb 18, 2026