High severityNVD Advisory· Published Mar 29, 2024· Updated Aug 21, 2024
CodeIgniter4 Language class DoS Vulnerability
CVE-2024-29904
Description
CodeIgniter is a PHP full-stack web framework A vulnerability was found in the Language class that allowed DoS attacks. This vulnerability can be exploited by an attacker to consume a large amount of memory on the server. Upgrade to v4.4.7 or later.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A vulnerability in CodeIgniter 4's Language class allows attackers to cause a denial of service by consuming excessive server memory.
Vulnerability
Description CVE-2024-29904 is a denial-of-service (DoS) vulnerability in CodeIgniter 4, a PHP full-stack web framework, affecting the Language class. The root cause is improper input handling that can trigger excessive memory allocation when processing malformed or specially crafted data [4]. This flaw allows an attacker to exhaust server memory resources.
Exploitation
Details The vulnerability can be exploited remotely over the network with low attack complexity. No authentication or user interaction is required, and the attacker does not need any special privileges or local access [2][4]. By sending a crafted request that triggers the Language class to allocate an excessive amount of memory, an adversary can cause the server to become unresponsive.
Impact
Successful exploitation results in a denial-of-service condition due to memory exhaustion, impacting server availability. Confidentiality and integrity are not affected directly, but the service outage can disrupt legitimate operations [2].
Mitigation
The fix was introduced in CodeIgniter version 4.4.7, which includes hardening of the Language class and related URL processing [1]. Users are advised to upgrade immediately. No workarounds have been officially documented, so upgrading is the recommended course of action.
References
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
codeigniter4/frameworkPackagist | < 4.4.7 | 4.4.7 |
Affected products
2- codeigniter4/CodeIgniter4v5Range: < 4.4.7
Patches
1fa851acbae7aMerge pull request from GHSA-39fp-mqmm-gxj6
16 files changed · +327 −24
app/Config/App.php+24 −0 modified@@ -59,6 +59,30 @@ class App extends BaseConfig */ public string $uriProtocol = 'REQUEST_URI'; + /* + |-------------------------------------------------------------------------- + | Allowed URL Characters + |-------------------------------------------------------------------------- + | + | This lets you specify which characters are permitted within your URLs. + | When someone tries to submit a URL with disallowed characters they will + | get a warning message. + | + | As a security measure you are STRONGLY encouraged to restrict URLs to + | as few characters as possible. + | + | By default, only these are allowed: `a-z 0-9~%.:_-` + | + | Set an empty string to allow all characters -- but only if you are insane. + | + | The configured value is actually a regular expression character group + | and it will be used as: '/\A[<permittedURIChars>]+\z/iu' + | + | DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!! + | + */ + public string $permittedURIChars = 'a-z 0-9~%.:_\-'; + /** * -------------------------------------------------------------------------- * Default Locale
phpstan-baseline.php+1 −1 modified@@ -13713,7 +13713,7 @@ ]; $ignoreErrors[] = [ 'message' => '#^Assigning \'GET\' directly on offset \'REQUEST_METHOD\' of \\$_SERVER is discouraged\\.$#', - 'count' => 35, + 'count' => 36, 'path' => __DIR__ . '/tests/system/Filters/FiltersTest.php', ]; $ignoreErrors[] = [
system/CodeIgniter.php+2 −0 modified@@ -449,6 +449,7 @@ protected function handleRequest(?RouteCollectionInterface $routes, Cache $cache $routeFilter = $this->tryToRouteIt($routes); + // $uri is URL-encoded. $uri = $this->determinePath(); if ($this->enableFilters) { @@ -813,6 +814,7 @@ protected function tryToRouteIt(?RouteCollectionInterface $routes = null) // $routes is defined in Config/Routes.php $this->router = Services::router($routes, $this->request); + // $path is URL-encoded. $path = $this->determinePath(); $this->benchmark->stop('bootstrap');
system/Filters/Filters.php+5 −2 modified@@ -245,6 +245,9 @@ public function initialize(?string $uri = null) return $this; } + // Decode URL-encoded string + $uri = urldecode($uri); + $this->processGlobals($uri); $this->processMethods(); $this->processFilters($uri); @@ -639,7 +642,7 @@ private function checkExcept(string $uri, $paths): bool /** * Check the URI path as pseudo-regex * - * @param string $uri URI path relative to baseURL (all lowercase) + * @param string $uri URI path relative to baseURL (all lowercase, URL-decoded) * @param array $paths The except path patterns */ private function checkPseudoRegex(string $uri, array $paths): bool @@ -652,7 +655,7 @@ private function checkPseudoRegex(string $uri, array $paths): bool $path = strtolower(str_replace('*', '.*', $path)); // Does this rule apply here? - if (preg_match('#^' . $path . '$#', $uri, $match) === 1) { + if (preg_match('#\A' . $path . '\z#u', $uri, $match) === 1) { return true; } }
system/HTTP/Exceptions/BadRequestException.php+28 −0 added@@ -0,0 +1,28 @@ +<?php + +/** + * This file is part of CodeIgniter 4 framework. + * + * (c) CodeIgniter Foundation <admin@codeigniter.com> + * + * For the full copyright and license information, please view + * the LICENSE file that was distributed with this source code. + */ + +namespace CodeIgniter\HTTP\Exceptions; + +use CodeIgniter\Exceptions\HTTPExceptionInterface; +use RuntimeException; + +/** + * 400 Bad Request + */ +class BadRequestException extends RuntimeException implements HTTPExceptionInterface +{ + /** + * HTTP status code for Bad Request + * + * @var int + */ + protected $code = 400; // @phpstan-ignore-line +}
system/Language/Language.php+27 −3 modified@@ -12,7 +12,7 @@ namespace CodeIgniter\Language; use Config\Services; -use InvalidArgumentException; +use IntlException; use MessageFormatter; /** @@ -194,9 +194,33 @@ protected function formatMessage($message, array $args = []) $formatted = MessageFormatter::formatMessage($this->locale, $message, $args); if ($formatted === false) { - throw new InvalidArgumentException( - lang('Language.invalidMessageFormat', [$message, implode(',', $args)]) + // Format again to get the error message. + try { + $fmt = new MessageFormatter($this->locale, $message); + $formatted = $fmt->format($args); + $fmtError = '"' . $fmt->getErrorMessage() . '" (' . $fmt->getErrorCode() . ')'; + } catch (IntlException $e) { + $fmtError = '"' . $e->getMessage() . '" (' . $e->getCode() . ')'; + } + + $argsString = implode( + ', ', + array_map(static fn ($element) => '"' . $element . '"', $args) + ); + $argsUrlEncoded = implode( + ', ', + array_map(static fn ($element) => '"' . rawurlencode($element) . '"', $args) ); + + log_message( + 'error', + 'Language.invalidMessageFormat: $message: "' . $message + . '", $args: ' . $argsString + . ' (urlencoded: ' . $argsUrlEncoded . '),' + . ' MessageFormatter Error: ' . $fmtError + ); + + return $message . "\n【Warning】Also, invalid string(s) was passed to the Language class. See log file for details."; } return $formatted;
system/Router/Router.php+33 −2 modified@@ -13,6 +13,7 @@ use Closure; use CodeIgniter\Exceptions\PageNotFoundException; +use CodeIgniter\HTTP\Exceptions\BadRequestException; use CodeIgniter\HTTP\Exceptions\RedirectException; use CodeIgniter\HTTP\Request; use CodeIgniter\HTTP\ResponseInterface; @@ -120,11 +121,23 @@ class Router implements RouterInterface protected ?AutoRouterInterface $autoRouter = null; + /** + * Permitted URI chars + * + * The default value is `''` (do not check) for backward compatibility. + */ + protected string $permittedURIChars = ''; + /** * Stores a reference to the RouteCollection object. */ public function __construct(RouteCollectionInterface $routes, ?Request $request = null) { + $config = config(App::class); + if (isset($config->permittedURIChars)) { + $this->permittedURIChars = $config->permittedURIChars; + } + $this->collection = $routes; // These are only for auto-routing @@ -179,6 +192,8 @@ public function handle(?string $uri = null) // Decode URL-encoded string $uri = urldecode($uri); + $this->checkDisallowedChars($uri); + // Restart filterInfo $this->filterInfo = null; $this->filtersInfo = []; @@ -433,7 +448,7 @@ protected function checkRoutes(string $uri): bool }, is_array($handler) ? key($handler) : $handler); throw new RedirectException( - preg_replace('#^' . $routeKey . '$#u', $redirectTo, $uri), + preg_replace('#\A' . $routeKey . '\z#u', $redirectTo, $uri), $this->collection->getRedirectCode($routeKey) ); } @@ -487,7 +502,7 @@ protected function checkRoutes(string $uri): bool } // Using back-references - $handler = preg_replace('#^' . $routeKey . '$#u', $handler, $uri); + $handler = preg_replace('#\A' . $routeKey . '\z#u', $handler, $uri); } $this->setRequest(explode('/', $handler)); @@ -676,4 +691,20 @@ protected function setMatchedRoute(string $route, $handler): void $this->matchedRouteOptions = $this->collection->getRoutesOptions($route); } + + /** + * Checks disallowed characters + */ + private function checkDisallowedChars(string $uri): void + { + foreach (explode('/', $uri) as $segment) { + if ($segment !== '' && $this->permittedURIChars !== '' + && preg_match('/\A[' . $this->permittedURIChars . ']+\z/iu', $segment) !== 1 + ) { + throw new BadRequestException( + 'The URI you submitted has disallowed characters: "' . $segment . '"' + ); + } + } + } }
tests/system/Filters/FiltersTest.php+46 −0 modified@@ -1056,6 +1056,52 @@ public function testMatchesURICaseInsensitively(): void $this->assertSame($expected, $filters->initialize($uri)->getFilters()); } + public function testMatchesURIWithUnicode(): void + { + $_SERVER['REQUEST_METHOD'] = 'GET'; + + $config = [ + 'aliases' => [ + 'foo' => '', + 'bar' => '', + 'frak' => '', + 'baz' => '', + ], + 'globals' => [ + 'before' => [ + 'foo' => ['except' => '日本語/*'], + 'bar', + ], + 'after' => [ + 'foo' => ['except' => '日本語/*'], + 'baz', + ], + ], + 'filters' => [ + 'frak' => [ + 'before' => ['日本語/*'], + 'after' => ['日本語/*'], + ], + ], + ]; + $filtersConfig = $this->createConfigFromArray(FiltersConfig::class, $config); + $filters = $this->createFilters($filtersConfig); + + // URIs passed to Filters are URL-encoded. + $uri = '%E6%97%A5%E6%9C%AC%E8%AA%9E/foo/bar'; + $expected = [ + 'before' => [ + 'bar', + 'frak', + ], + 'after' => [ + 'baz', + 'frak', + ], + ]; + $this->assertSame($expected, $filters->initialize($uri)->getFilters()); + } + /** * @see https://github.com/codeigniter4/CodeIgniter4/issues/1907 */
tests/system/HTTP/URITest.php+18 −6 modified@@ -473,8 +473,8 @@ public static function providePathGetsFiltered(): iterable { return [ 'dot-segment' => [ - '/./path/to/nowhere', - '/path/to/nowhere', + '/./path/to/nowhere', // path + '/path/to/nowhere', // expectedPath ], 'double-dots' => [ '/../path/to/nowhere', @@ -484,18 +484,30 @@ public static function providePathGetsFiltered(): iterable './path/to/nowhere', '/path/to/nowhere', ], - 'start-double' => [ + 'start-double-dot' => [ '../path/to/nowhere', '/path/to/nowhere', ], - 'decoded' => [ - '../%41path', + 'decode-percent-encoded-chars' => [ + '/%41path', '/Apath', ], - 'encoded' => [ + 'decode-slash' => [ + '/a%2Fb', + '/a/b', + ], + 'encode-unreserved-chars' => [ '/path^here', '/path%5Ehere', ], + 'encode-multibyte-chars' => [ + '/あいう', + '/%E3%81%82%E3%81%84%E3%81%86', + ], + 'encode-invalid-percent-encoding' => [ + '/pa%2-th', + '/pa%252-th', + ], ]; }
tests/system/Language/LanguageTest.php+5 −10 modified@@ -14,7 +14,6 @@ use CodeIgniter\Test\CIUnitTestCase; use CodeIgniter\Test\Mock\MockLanguage; use Config\Services; -use InvalidArgumentException; use MessageFormatter; use Tests\Support\Language\SecondMockLanguage; @@ -137,18 +136,14 @@ public function testGetLineInvalidFormatMessage(): void $this->markTestSkipped('No intl support.'); } - $this->expectException(InvalidArgumentException::class); - $this->expectExceptionMessage( - 'Invalid message format: "تم الكشف عن كلمة المرور {0} بسبب اختراق البيانات وشوهدت {1 ، عدد} مرة في {2} في كلمات المرور المخترقة.", args: "password,hits,wording"' - ); - $this->lang->setLocale('ar'); - $this->lang->setData('Auth', [ - 'errorPasswordPwned' => 'تم الكشف عن كلمة المرور {0} بسبب اختراق البيانات وشوهدت {1 ، عدد} مرة في {2} في كلمات المرور المخترقة.', - ]); + $line = 'تم الكشف عن كلمة المرور {0} بسبب اختراق البيانات وشوهدت {1 ، عدد} مرة في {2} في كلمات المرور المخترقة.'; + $this->lang->setData('Auth', ['errorPasswordPwned' => $line]); + + $output = $this->lang->getLine('Auth.errorPasswordPwned', ['password', 'hits', 'wording']); - $this->lang->getLine('Auth.errorPasswordPwned', ['password', 'hits', 'wording']); + $this->assertSame($line . "\n【Warning】Also, invalid string(s) was passed to the Language class. See log file for details.", $output); } /**
tests/system/Router/RouterTest.php+18 −0 modified@@ -13,10 +13,12 @@ use CodeIgniter\Config\Services; use CodeIgniter\Exceptions\PageNotFoundException; +use CodeIgniter\HTTP\Exceptions\BadRequestException; use CodeIgniter\HTTP\Exceptions\RedirectException; use CodeIgniter\HTTP\IncomingRequest; use CodeIgniter\Router\Exceptions\RouterException; use CodeIgniter\Test\CIUnitTestCase; +use Config\App; use Config\Modules; use Config\Routing; use Tests\Support\Filters\Customfilter; @@ -87,6 +89,16 @@ public function testZeroAsURIPath(): void $router->handle('0'); } + public function testNotPermittedChars(): void + { + $router = new Router($this->collection, $this->request); + + $this->expectException(BadRequestException::class); + $this->expectExceptionMessage('The URI you submitted has disallowed characters: "<a>"'); + + $router->handle('test/%3Ca%3E'); + } + public function testURIMapsToController(): void { $router = new Router($this->collection, $this->request); @@ -783,6 +795,9 @@ public function testAutoRouteMethodEmpty(): void */ public function testRegularExpressionWithUnicode(): void { + $config = config(App::class); + $config->permittedURIChars = 'a-z 0-9~%.:_\-\x{0980}-\x{09ff}'; + $this->collection->get('news/([a-z0-9\x{0980}-\x{09ff}-]+)', 'News::view/$1'); $router = new Router($this->collection, $this->request); @@ -802,6 +817,9 @@ public function testRegularExpressionWithUnicode(): void */ public function testRegularExpressionPlaceholderWithUnicode(): void { + $config = config(App::class); + $config->permittedURIChars = 'a-z 0-9~%.:_\-\x{0980}-\x{09ff}'; + $this->collection->addPlaceholder('custom', '[a-z0-9\x{0980}-\x{09ff}-]+'); $this->collection->get('news/(:custom)', 'News::view/$1');
user_guide_src/source/changelogs/v4.4.7.rst+14 −0 modified@@ -10,6 +10,20 @@ Release Date: Unreleased :local: :depth: 3 +******** +SECURITY +******** + +- **Language:** *Language class DoS Vulnerability* was fixed. + See the `Security advisory GHSA-39fp-mqmm-gxj6 <https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-39fp-mqmm-gxj6>`_ + for more information. +- **URI Security:** The feature to check if URIs do not contain not permitted + strings has been added. This check is equivalent to the URI Security found in + CodeIgniter 3. This is enabled by default, but upgraded users need to add + a setting to enable it. See :ref:`urls-uri-security` for details. +- **Filters:** A bug where URI paths processed by Filters were not URL-decoded + has been fixed. See :ref:`upgrade-447-filter-paths` for details. + ******** BREAKING ********
user_guide_src/source/concepts/security.rst+1 −0 modified@@ -38,6 +38,7 @@ OWASP recommendations CodeIgniter provisions ====================== +- :ref:`urls-uri-security` - :ref:`invalidchars` filter - :doc:`../libraries/validation` library - :doc:`HTTP library <../incoming/incomingrequest>` provides for :ref:`input field filtering <incomingrequest-filtering-input-data>` & content metadata
user_guide_src/source/general/urls.rst+46 −0 modified@@ -58,6 +58,52 @@ Route path /blog/news/2022/10 The URI path relative to the Bas Query page=2 ========== ==================================== ========================================= +.. _urls-uri-security: + +URI Security +============ + +.. versionadded:: 4.4.7 + +.. important:: + Users upgrading from versions prior to v4.4.7 will need to add the following + to **app/Config/App.php** in order to use this feature:: + + public string $permittedURIChars = 'a-z 0-9~%.:_\-'; + +CodeIgniter is fairly restrictive regarding which characters it allows in your +URI strings (Route path) in order to help minimize the possibility that malicious +data can be passed to your application. URIs may only contain the following: + +- Alpha-numeric text (latin characters only) +- Tilde: ``~`` +- Percent sign: ``%`` +- Period: ``.`` +- Colon: ``:`` +- Underscore: ``_`` +- Dash: ``-`` +- Space: `` `` + +.. note:: + This check is performed by the ``Router``. The Router takes the URL-encoded + value held by the ``SiteURI`` class, decodes it, and then checks that it + does not contain not permitted strings. + +Adding Permitted Characters +--------------------------- + +The permitted characters can be changed by ``Config\App::$permittedURIChars``. + +If you want to use Unicode for URI paths, modify it to allow the characters to +be used. For example, if you want to use Bengali, you will need to set the +following value in **app/Config/App.php**:: + + public string $permittedURIChars = 'a-z 0-9~%.:_\-\x{0980}-\x{09ff}'; + +A full list of Unicode ranges can be found at Wikipedia's `Unicode block`_. + +.. _Unicode block: https://en.wikipedia.org/wiki/Unicode_block + .. _urls-remove-index-php: Removing the index.php file
user_guide_src/source/incoming/filters.rst+10 −0 modified@@ -140,6 +140,11 @@ an array with the ``except`` key and a URI path (relative to BaseURL) to match a .. literalinclude:: filters/006.php +.. Warning:: Prior to v4.4.7, due to a bug, the URI paths processed by the filter + were not URL-decoded. In other words, the URI paths specified in the routing + and the URI paths specified in the filter could be different. + See :ref:`upgrade-447-filter-paths` for details. + Any place you can use a URI path (relative to BaseURL) in the filter settings, you can use a regular expression or, like in this example, use an asterisk (``*``) for a wildcard that will match all characters after that. In this example, any URI path starting with ``api/`` would be exempted from CSRF protection, but the site's forms would all be protected. @@ -175,6 +180,11 @@ a list of URI path (relative to BaseURL) patterns that filter should apply to: .. literalinclude:: filters/009.php +.. Warning:: Prior to v4.4.7, due to a bug, the URI paths processed by the filter + were not URL-decoded. In other words, the URI paths specified in the routing + and the URI paths specified in the filter could be different. + See :ref:`upgrade-447-filter-paths` for details. + .. _filters-filters-filter-arguments: Filter Arguments
user_guide_src/source/installation/upgrade_447.rst+49 −0 modified@@ -16,6 +16,18 @@ Please refer to the upgrade instructions corresponding to your installation meth Mandatory File Changes ********************** +URI Security +============ + +The feature to check if URIs do not contain not permitted strings has been added. +This check is equivalent to the URI Security found in CodeIgniter 3. + +We recommend you enable this feature. Add the following to **app/Config/App.php**:: + + public string $permittedURIChars = 'a-z 0-9~%.:_\-';. + +See :ref:`urls-uri-security` for details. + Error Files =========== @@ -28,6 +40,40 @@ The error page has been updated. Please update the following files: Breaking Changes **************** +.. _upgrade-447-filter-paths: + +Paths in Controller Filters +=========================== + +A bug where URI paths processed by :doc:`../incoming/filters` were not URL-decoded has been fixed. + +.. note:: Note that :doc:`Router <../incoming/routing>` processes URL-decoded URI paths. + +``Config\Filters`` has some places to specify the URI paths. If the paths have +different values when URL-decoded, change them to the URL-decoded values. + +E.g.,: + +.. code-block:: php + + public array $globals = [ + 'before' => [ + 'csrf' => ['except' => '%E6%97%A5%E6%9C%AC%E8%AA%9E/*'], + ], + // ... + ]; + +↓ + +.. code-block:: php + + public array $globals = [ + 'before' => [ + 'csrf' => ['except' => '日本語/*'], + ], + // ... + ]; + Time::difference() and DST ========================== @@ -66,6 +112,9 @@ and it is recommended that you merge the updated versions with your application: Config ------ +- app/Config/App.php + - The property ``$permittedURIChars`` was added. See :ref:`urls-uri-security` + for details. - @TODO All Changes
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-39fp-mqmm-gxj6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-29904ghsaADVISORY
- github.com/codeigniter4/CodeIgniter4/commit/fa851acbae7ae4c5a97f8f38ae87aa0822a334c0ghsax_refsource_MISCWEB
- github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-39fp-mqmm-gxj6ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.