VYPR
← All advisories
Critical severityNVD Advisory· Published Feb 28, 2022· Updated Apr 23, 2025

Remote CLI Command Execution Vulnerability in CodeIgniter4

CVE-2022-24711

Description

CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. Prior to version 4.1.9, an improper input validation vulnerability allows attackers to execute CLI routes via HTTP request. Version 4.1.9 contains a patch. There are currently no known workarounds for this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Improper input validation in CodeIgniter4 before 4.1.9 allows attackers to execute CLI routes via HTTP requests, leading to potential remote code execution.

Vulnerability

CodeIgniter4 versions prior to 4.1.9 contain an improper input validation vulnerability that allows attackers to execute CLI routes via HTTP requests. The framework fails to restrict CLI routes to command-line access only, making them reachable through HTTP. Affected versions are all 4.x releases before 4.1.9. [1][2]

Exploitation

An attacker with network access to the web server can send a crafted HTTP request containing a CLI route. No authentication is required if the route is publicly accessible. The attacker identifies a CLI route, crafts an HTTP request with that route, and sends it to the server. The framework processes the request as a CLI command, executing the route. [1][2]

Impact

Successful exploitation allows the attacker to execute arbitrary CLI commands on the server, potentially leading to remote code execution, data exfiltration, or full server compromise. The attacker gains the privileges of the web server user. [1][2]

Mitigation

The vulnerability is fixed in CodeIgniter4 version 4.1.9, released on 2022-02-25. Users should upgrade immediately. No workarounds are available. The vulnerability is not listed in CISA KEV as of this writing. [1][2]

References
  1. NVD - CVE-2022-24711
  2. Merge pull request from GHSA-xjp4-6w75-qrj7 · codeigniter4/CodeIgniter4@202f41a

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
codeigniter4/frameworkPackagist
< 4.1.94.1.9

Affected products

3

Patches

1
202f41ad522b

Merge pull request from GHSA-xjp4-6w75-qrj7

https://github.com/codeigniter4/CodeIgniter4MGatnerFeb 26, 2022via ghsa
commit
10 files changed · +100 11
  • CHANGELOG.md+9 0 modified
    @@ -1,5 +1,14 @@
 # Changelog
 
+## [v4.1.9](https://github.com/codeigniter4/CodeIgniter4/tree/v4.1.9) (2022-02-25)
+
+[Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.1.8...v4.1.9)
+
+**SECURITY**
+
+* *Remote CLI Command Execution Vulnerability* was fixed. See the [Security advisory](https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-xjp4-6w75-qrj7) for more information.
+* *Cross-Site Request Forgery (CSRF) Protection Bypass Vulnerability* was fixed. See the [Security advisory](https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-4v37-24gm-h554) for more information.
+
 ## [v4.1.8](https://github.com/codeigniter4/CodeIgniter4/tree/v4.1.8) (2022-01-24)
 
 [Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.1.7...v4.1.8)
  • composer.json+3 3 modified
    @@ -15,13 +15,13 @@
         "psr/log": "^1.1"
     },
     "require-dev": {
-        "codeigniter/coding-standard": "^1.1",
+        "codeigniter/coding-standard": "1.2.*",
         "fakerphp/faker": "^1.9",
-        "friendsofphp/php-cs-fixer": "^3.1",
+        "friendsofphp/php-cs-fixer": "3.2.*",
         "mikey179/vfsstream": "^1.6",
         "nexusphp/cs-config": "^3.3",
         "nexusphp/tachycardia": "^1.0",
-        "phpstan/phpstan": "^1.0",
+        "phpstan/phpstan": "1.4.3",
         "phpunit/phpunit": "^9.1",
         "predis/predis": "^1.1",
         "rector/rector": "0.12.10"
  • phpstan-baseline.neon.dist+0 5 modified
    @@ -115,11 +115,6 @@ parameters:
 			count: 1
 			path: system/CodeIgniter.php
 
-		-
-			message: "#^Dead catch \\- CodeIgniter\\\\Exceptions\\\\PageNotFoundException is never thrown in the try block\\.$#"
-			count: 1
-			path: system/CodeIgniter.php
-
 		-
 			message: "#^Property Config\\\\App\\:\\:\\$appTimezone \\(string\\) on left side of \\?\\? is not nullable\\.$#"
 			count: 1
  • system/CodeIgniter.php+12 2 modified
    @@ -45,7 +45,7 @@ class CodeIgniter
     /**
      * The current version of CodeIgniter Framework
      */
-    public const CI_VERSION = '4.1.8';
+    public const CI_VERSION = '4.1.9';
 
     private const MIN_PHP_VERSION = '7.3';
 
@@ -299,6 +299,12 @@ public function run(?RouteCollectionInterface $routes = null, bool $returnRespon
 
         $this->spoofRequestMethod();
 
+        if ($this->request instanceof IncomingRequest && $this->request->getMethod() === 'cli') {
+            $this->response->setStatusCode(405)->setBody('Method Not Allowed');
+
+            return $this->sendResponse();
+        }
+
         Events::trigger('pre_system');
 
         // Check for a cached page. Execution will stop
@@ -352,6 +358,7 @@ public function useSafeOutput(bool $safe = true)
     /**
      * Handles the main request logic and fires the controller.
      *
+     * @throws PageNotFoundException
      * @throws RedirectException
      *
      * @return mixed|RequestInterface|ResponseInterface
@@ -976,7 +983,10 @@ public function spoofRequestMethod()
             return;
         }
 
-        $this->request = $this->request->setMethod($method);
+        // Only allows PUT, PATCH, DELETE
+        if (in_array(strtoupper($method), ['PUT', 'PATCH', 'DELETE'], true)) {
+            $this->request = $this->request->setMethod($method);
+        }
     }
 
     /**
  • tests/system/CodeIgniterTest.php+55 0 modified
    @@ -425,4 +425,59 @@ public function testRunDefaultRoute()
 
         $this->assertStringContainsString('Welcome to CodeIgniter', $output);
     }
+
+    public function testRunCLIRoute()
+    {
+        $_SERVER['argv'] = ['index.php', 'cli'];
+        $_SERVER['argc'] = 2;
+
+        $_SERVER['REQUEST_URI']     = '/cli';
+        $_SERVER['SERVER_PROTOCOL'] = 'HTTP/1.1';
+        $_SERVER['REQUEST_METHOD']  = 'CLI';
+
+        $routes = Services::routes();
+        $routes->cli('cli', '\Tests\Support\Controllers\Popcorn::index');
+
+        ob_start();
+        $this->codeigniter->useSafeOutput(true)->run();
+        $output = ob_get_clean();
+
+        $this->assertStringContainsString('Method Not Allowed', $output);
+    }
+
+    public function testSpoofRequestMethodCanUsePUT()
+    {
+        $_SERVER['argv'] = ['index.php'];
+        $_SERVER['argc'] = 1;
+
+        $_SERVER['REQUEST_URI']     = '/';
+        $_SERVER['SERVER_PROTOCOL'] = 'HTTP/1.1';
+        $_SERVER['REQUEST_METHOD']  = 'POST';
+
+        $_POST['_method'] = 'PUT';
+
+        ob_start();
+        $this->codeigniter->useSafeOutput(true)->run();
+        ob_get_clean();
+
+        $this->assertSame('put', Services::request()->getMethod());
+    }
+
+    public function testSpoofRequestMethodCannotUseGET()
+    {
+        $_SERVER['argv'] = ['index.php'];
+        $_SERVER['argc'] = 1;
+
+        $_SERVER['REQUEST_URI']     = '/';
+        $_SERVER['SERVER_PROTOCOL'] = 'HTTP/1.1';
+        $_SERVER['REQUEST_METHOD']  = 'POST';
+
+        $_POST['_method'] = 'GET';
+
+        ob_start();
+        $this->codeigniter->useSafeOutput(true)->run();
+        ob_get_clean();
+
+        $this->assertSame('post', Services::request()->getMethod());
+    }
 }
  • tests/system/Commands/CommandTest.php+2 0 modified
    @@ -27,6 +27,8 @@ final class CommandTest extends CIUnitTestCase
 
     protected function setUp(): void
     {
+        $this->resetServices();
+
         parent::setUp();
 
         CITestStreamFilter::$buffer = '';
  • user_guide_src/source/changelogs/index.rst+1 0 modified
    @@ -12,6 +12,7 @@ See all the changes.
 .. toctree::
     :titlesonly:
 
+    v4.1.9
     v4.1.8
     v4.1.7
     v4.1.6
  • user_guide_src/source/changelogs/v4.1.9.rst+16 0 added
    @@ -0,0 +1,16 @@
+Version 4.1.9
+#############
+
+Release Date: February 25, 2022
+
+**4.1.9 release of CodeIgniter4**
+
+.. contents::
+    :local:
+    :depth: 2
+
+SECURITY
+********
+
+- *Remote CLI Command Execution Vulnerability* was fixed. See the `Security advisory GHSA-xjp4-6w75-qrj7 <https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-xjp4-6w75-qrj7>`_ for more information.
+- *Cross-Site Request Forgery (CSRF) Protection Bypass Vulnerability* was fixed. See the `Security advisory GHSA-4v37-24gm-h554 <https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-4v37-24gm-h554>`_ for more information.
  • user_guide_src/source/conf.py+1 1 modified
    @@ -24,7 +24,7 @@
 version = '4.1'
 
 # The full version, including alpha/beta/rc tags.
-release = '4.1.8'
+release = '4.1.9'
 
 # -- General configuration ---------------------------------------------------
  • user_guide_src/source/installation/upgrading.rst+1 0 modified
    @@ -8,6 +8,7 @@ upgrading from.
 .. toctree::
     :titlesonly:
 
+    Upgrading from 4.1.7 to 4.1.8 <upgrade_418>
     Upgrading from 4.1.6 to 4.1.7 <upgrade_417>
     Upgrading from 4.1.5 to 4.1.6 <upgrade_416>
     Upgrading from 4.1.4 to 4.1.5 <upgrade_415>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.