CVE-2022-24712

Name of the Vulnerable Software and Affected Versions CodeIgniter4 versions prior to 4.1.9

Description A vulnerability in CodeIgniter4 might allow remote attackers to bypass the Cross-Site Request Forgery (CSRF) protection mechanism. This issue can be exploited when auto-routing is enabled or disabled, potentially leading to unauthorized actions. To mitigate this, users can check the request method in the controller method before processing or use HTTP verbs in routes instead of $routes->add().

Recommendations For versions prior to 4.1.9, upgrade to version 4.1.9 or later. As a temporary workaround, consider checking the request method in the controller method before processing, for example:

if (strtolower($this->request->getMethod()) !== 'post') {
  return $this->response->setStatusCode(405)->setBody('Method Not Allowed');
}

When auto-routing is disabled, either avoid using $routes->add() and instead use HTTP verbs in routes, or check the request method in the controller method before processing.