CVE-2022-21647 HIGH

CVE-2022-21647: Deserialization of Untrusted Data in Codeigniter4

Vendor Codeigniter4

Product CodeIgniter4

Weakness CWE-502 · Unsafe deserialization

Published January 4, 2022

Last update April 23, 2025

View on NVD All CVEs

CVSS base score

7.7/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality Low

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H

What the vulnerability does

Description

CodeIgniter is an open source PHP full-stack web framework. Deserialization of Untrusted Data was found in the `old()` function in CodeIgniter4. Remote attackers may inject auto-loadable arbitrary objects with this vulnerability, and possibly execute existing PHP code on the server. We are aware of a working exploit, which can lead to SQL injection. Users are advised to upgrade to v4.1.6 or later. Users unable to upgrade as advised to not use the `old()` function and form_helper nor `RedirectResponse::withInput()` and `redirect()->withInput()`.

Key dates

Disclosure timeline

January 4, 2022 CVE published

April 23, 2025 Record updated