CodeIgniter4 vulnerable to information disclosure when detailed error report is displayed in production environment
Description
CodeIgniter is a PHP full-stack web framework. Prior to CodeIgniter4 version 4.4.3, if an error or exception occurs, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked. Version 4.4.3 contains a patch. As a workaround, replace ini_set('display_errors', '0') with ini_set('display_errors', 'Off') in app/Config/Boot/production.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CodeIgniter4 before v4.4.3 can leak detailed error reports in production environments, exposing confidential information.
Root
Cause
CVE-2023-46240 affects CodeIgniter4 versions prior to 4.4.3. The vulnerability arises because the framework does not suppress detailed error reports in the production environment. Even when ini_set('display_errors', '0') is set in app/Config/Boot/production.php, a code error or exception can still cause a verbose error page to be displayed, rather than the generic message expected for production [1][2].
Exploitation
An attacker does not need special authentication or network position to trigger this issue. Any request that causes an unhandled PHP error or exception within the application will result in the detailed error report being shown to the attacker. This can be done through malformed input, triggering edge cases, or exploiting other weaknesses that produce exceptions [2].
Impact
A successful exploitation leaks sensitive internal information included in the error report, such as file paths, database queries, configuration values, and stack traces. This information can facilitate further attacks, such as targeted SQL injection or remote code execution, by exposing the application's internals [2].
Mitigation
Version 4.4.3 of CodeIgniter4 includes a patch that ensures detailed error reports are not displayed in production. As a workaround, administrators can replace '0' with 'Off' in the ini_set() call within app/Config/Boot/production.php. The fix was implemented in commit 423569fc31e29f51635a2e59c89770333f0e7563 [2][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
codeigniter4/frameworkPackagist | < 4.4.3 | 4.4.3 |
Affected products
3- osv-coords2 versions
< 4.4.3+ 1 more
- (no CPE)range: < 4.4.3
- (no CPE)range: < 4.4.3
- codeigniter4/CodeIgniter4v5Range: < 4.4.3
Patches
1423569fc31e2Merge pull request from GHSA-hwxf-qxj7-7rfj
12 files changed · +74 −7
app/Config/Boot/development.php+2 −0 modified@@ -7,6 +7,8 @@ | In development, we want to show as many errors as possible to help | make sure they don't make it to production. And save us hours of | painful debugging. + | + | If you set 'display_errors' to '1', CI4's detailed error report will show. */ error_reporting(-1); ini_set('display_errors', '1');
app/Config/Boot/production.php+2 −0 modified@@ -6,6 +6,8 @@ |-------------------------------------------------------------------------- | Don't show ANY in production environments. Instead, let the system catch | it and display a generic error message. + | + | If you set 'display_errors' to '1', CI4's detailed error report will show. */ ini_set('display_errors', '0'); error_reporting(E_ALL & ~E_NOTICE & ~E_DEPRECATED & ~E_STRICT & ~E_USER_NOTICE & ~E_USER_DEPRECATED);
app/Config/Boot/testing.php+6 −0 modified@@ -1,5 +1,11 @@ <?php +/* + * The environment testing is reserved for PHPUnit testing. It has special + * conditions built into the framework at various places to assist with that. + * You can’t use it for your development. + */ + /* |-------------------------------------------------------------------------- | ERROR DISPLAY
app/Views/errors/html/error_404.php+1 −1 modified@@ -77,7 +77,7 @@ <?= nl2br(esc($message)) ?> <?php else : ?> <?= lang('Errors.sorryCannotFind') ?> - <?php endif ?> + <?php endif; ?> </p> </div> </body>
app/Views/errors/html/error_exception.php+5 −2 modified@@ -44,6 +44,7 @@ <?php endif; ?> </div> + <?php if (defined('SHOW_DEBUG_BACKTRACE') && SHOW_DEBUG_BACKTRACE) : ?> <div class="container"> <ul class="tabs" id="tabs"> @@ -66,7 +67,7 @@ <li> <p> <!-- Trace info --> - <?php if (isset($row['file']) && is_file($row['file'])) :?> + <?php if (isset($row['file']) && is_file($row['file'])) : ?> <?php if (isset($row['function']) && in_array($row['function'], ['include', 'include_once', 'require', 'require_once'], true)) { echo esc($row['function'] . ' ' . clean_path($row['file'])); @@ -375,14 +376,16 @@ </div> <!-- /tab-content --> </div> <!-- /container --> + <?php endif; ?> <div class="footer"> <div class="container"> <p> Displayed at <?= esc(date('H:i:sa')) ?> — PHP: <?= esc(PHP_VERSION) ?> — - CodeIgniter: <?= esc(CodeIgniter::CI_VERSION) ?> + CodeIgniter: <?= esc(CodeIgniter::CI_VERSION) ?> -- + Environment: <?= ENVIRONMENT ?> </p> </div>
system/Debug/ExceptionHandler.php+7 −1 modified@@ -129,7 +129,13 @@ protected function determineView(Throwable $exception, string $templatePath): st // Production environments should have a custom exception file. $view = 'production.php'; - if (str_ireplace(['off', 'none', 'no', 'false', 'null'], '', ini_get('display_errors')) !== '') { + if ( + in_array( + strtolower(ini_get('display_errors')), + ['1', 'true', 'on', 'yes'], + true + ) + ) { $view = 'error_exception.php'; }
system/Debug/Exceptions.php+7 −1 modified@@ -253,7 +253,13 @@ protected function determineView(Throwable $exception, string $templatePath): st $view = 'production.php'; $templatePath = rtrim($templatePath, '\\/ ') . DIRECTORY_SEPARATOR; - if (str_ireplace(['off', 'none', 'no', 'false', 'null'], '', ini_get('display_errors')) !== '') { + if ( + in_array( + strtolower(ini_get('display_errors')), + ['1', 'true', 'on', 'yes'], + true + ) + ) { $view = 'error_exception.php'; }
tests/system/Debug/ExceptionHandlerTest.php+15 −0 modified@@ -70,6 +70,21 @@ public function testDetermineViewsRuntimeExceptionCode404(): void $this->assertSame('error_404.php', $viewFile); } + public function testDetermineViewsDisplayErrorsOffRuntimeException(): void + { + ini_set('display_errors', '0'); + + $determineView = $this->getPrivateMethodInvoker($this->handler, 'determineView'); + + $exception = new RuntimeException('Exception'); + $templatePath = APPPATH . 'Views/errors/html'; + $viewFile = $determineView($exception, $templatePath); + + $this->assertSame('production.php', $viewFile); + + ini_set('display_errors', '1'); + } + public function testCollectVars(): void { $collectVars = $this->getPrivateMethodInvoker($this->handler, 'collectVars');
user_guide_src/source/changelogs/v4.4.3.rst+7 −0 modified@@ -9,6 +9,13 @@ Release Date: Unreleased :local: :depth: 3 +SECURITY +******** + +- *Detailed Error Report is Displayed in Production Environment* was fixed. + See the `Security advisory GHSA-hwxf-qxj7-7rfj <https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hwxf-qxj7-7rfj>`_ + for more information. + BREAKING ********
user_guide_src/source/general/environments.rst+2 −0 modified@@ -30,6 +30,8 @@ By default, CodeIgniter has three environments defined. If you want another environment, e.g., for staging, you can add custom environments. See `Adding Environments`_. +.. _setting-environment: + ******************* Setting Environment *******************
user_guide_src/source/general/errors.rst+6 −2 modified@@ -49,8 +49,12 @@ Error Reporting --------------- By default, CodeIgniter will display a detailed error report with all errors in the ``development`` and ``testing`` environments, and will not -display any errors in the ``production`` environment. You can change this by setting the ``CI_ENVIRONMENT`` variable -in the :ref:`.env <dotenv-file>` file. +display any errors in the ``production`` environment. + +.. image:: ../images/error.png + +You can change your environment by setting the ``CI_ENVIRONMENT`` variable. +See :ref:`setting-environment`. .. important:: Disabling error reporting DOES NOT stop logs from being written if there are errors.
user_guide_src/source/installation/upgrade_443.rst+14 −0 modified@@ -15,6 +15,14 @@ Please refer to the upgrade instructions corresponding to your installation meth Mandatory File Changes ********************** +error_exception.php +=================== + +The following file received significant changes and +**you must merge the updated versions** with your application: + +- app/Views/errors/html/error_exception.php + Breaking Changes **************** @@ -48,3 +56,9 @@ This is a list of all files in the **project space** that received changes; many will be simple comments or formatting that have no effect on the runtime: - @TODO +- app/Config/Boot/development.php +- app/Config/Boot/production.php +- app/Config/Boot/testing.php +- app/Config/Filters.php +- app/Views/errors/html/error_404.php +- app/Views/errors/html/error_exception.php
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-hwxf-qxj7-7rfjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-46240ghsaADVISORY
- codeigniter4.github.io/userguide/general/errors.htmlghsax_refsource_MISCWEB
- github.com/codeigniter4/CodeIgniter4/commit/423569fc31e29f51635a2e59c89770333f0e7563ghsax_refsource_MISCWEB
- github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hwxf-qxj7-7rfjghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.