CVE-2025-45406: Withdrawn Advisory: CodeIgniter4 Cross-Site Scripting Vulnerability in debugbar_time Parameter
(updated )
Withdrawn Advisory
This advisory has been withdrawn because the original report was found to be invalid. This link is maintained to preserve external references. For more information, see https://github.com/github/advisory-database/pull/5862.
Original Description
A stored cross-site scripting (XSS) vulnerability in CodeIgniter4 v4.6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the debugbar_time parameter.
References
- github.com/advisories/GHSA-49jm-g4m8-x53p
- github.com/codeigniter4/CodeIgniter4
- github.com/codeigniter4/CodeIgniter4/blob/v4.6.2/system/Debug/Toolbar.php
- github.com/codeigniter4/framework/blob/v4.6.2/system/Debug/Toolbar.php
- medium.com/@talktoshweta0/when-debugging-bites-back-exposing-a-persistent-xss-in-codeigniter4-c9caf804a190
- nvd.nist.gov/vuln/detail/CVE-2020-15943
- nvd.nist.gov/vuln/detail/CVE-2025-45406
- www.exploit-db.com/exploits/50556
Code Behaviors & Features
Detect and mitigate CVE-2025-45406 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →