Deserialization of Untrusted Data in Codeigniter4

Impact

Deserialization of Untrusted Data was found in the old() function in CodeIgniter4.
Remote attackers may inject auto-loadable arbitrary objects with this vulnerability,
and possibly execute existing PHP code on the server.
We are aware of a working exploit, which can lead to SQL injection.

Patches

Upgrade to v4.1.6 or later.

Workarounds

Do not use:

• old() and form_helper
• RedirectResponse::withInput() and redirect()->withInput()

References

• PHP Object Injection | OWASP

For more information

If you have any questions or comments about this advisory:

• Open an issue in codeigniter4/CodeIgniter4
• Email us at SECURITY.md