CVE-2025-24013: Missing validation of header name and value in codeigniter4/framework
Lack of proper header validation for its name and value. The potential attacker can construct deliberately malformed headers with Header class. This could disrupt application functionality, potentially causing errors or generating invalid HTTP requests. In some cases, these malformed requests might lead to a DoS scenario if a remote service’s web application firewall interprets them as malicious and blocks further communication with the application.
References
- datatracker.ietf.org/doc/html/rfc7230
- github.com/advisories/GHSA-wxmh-65f7-jcvw
- github.com/advisories/GHSA-x5mq-jjr3-vmx6
- github.com/codeigniter4/CodeIgniter4
- github.com/codeigniter4/CodeIgniter4/commit/5f8aa24280fb09947897d6b322bf1f0e038b13b6
- github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-x5mq-jjr3-vmx6
- nvd.nist.gov/vuln/detail/CVE-2025-24013
Detect and mitigate CVE-2025-24013 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →