CVE-2022-21647

Name of the Vulnerable Software and Affected Versions CodeIgniter4 versions prior to 4.1.6

Description Deserialization of Untrusted Data was found in the old() function in CodeIgniter4. Remote attackers may inject auto-loadable arbitrary objects with this vulnerability, and possibly execute existing PHP code on the server. A working exploit is known to exist, which can lead to SQL injection.

Recommendations Upgrade to v4.1.6 or later. As a temporary workaround, consider not using the old() function and form helper, nor RedirectResponse::withInput() and redirect()->withInput().