CodeIgniter 4 Header Validation Vulnerability Leading to Potential Denial-of-Service

A vulnerability exists in CodeIgniter 4 versions prior to 4.5.8 due to improper validation of HTTP header names and values. This flaw allows attackers to create malformed headers using the Header class, which can disrupt application functionality by causing errors or generating invalid HTTP requests. Such malformed requests may be interpreted as malicious by a remote service's web application firewall, potentially leading to a denial-of-service scenario by blocking further communication with the application.

Impact

Exploitation of this vulnerability can cause application errors, disrupt normal functionality, and in some cases, lead to a denial-of-service condition by causing a remote service's web application firewall to block communication with the application.

Reproduction

To reproduce this vulnerability, create a header with a name or value that includes newline characters. This can be done by using the Header class to construct a header that violates the standard HTTP/1.1 message syntax, as defined in RFC 7230.

Remediation

Upgrade to CodeIgniter 4 version 4.5.8 or later.