CVE-2022-21647 Overview
CVE-2022-21647 is an insecure deserialization vulnerability [CWE-502] in CodeIgniter4, an open source PHP full-stack web framework. The flaw resides in the old() function, which deserializes untrusted data submitted through form input. Remote attackers can inject auto-loadable arbitrary PHP objects, triggering object instantiation and possible execution of existing PHP code on the server. A working exploit chain leading to SQL injection has been confirmed by the maintainers. The vulnerability affects CodeIgniter4 versions prior to 4.1.6 and is exploitable over the network without authentication or user interaction.
Critical Impact
Unauthenticated remote attackers can deserialize arbitrary objects through the old() function, leading to PHP object injection and confirmed SQL injection exploitation paths.
Affected Products
- CodeIgniter4 versions prior to 4.1.6
- Applications using the old() function and form_helper
- Applications using RedirectResponse::withInput() or redirect()->withInput()
Discovery Timeline
- 2022-01-04 - CVE-2022-21647 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-21647
Vulnerability Analysis
The vulnerability stems from unsafe deserialization of user-controlled input inside CodeIgniter4's old() helper. The function is intended to repopulate form fields with previously submitted values stored in the session flashdata. CodeIgniter4 stored these values using PHP serialization, and the old() function deserialized them on retrieval without validating the type or origin of the serialized payload.
Because an attacker can influence the data persisted into flashdata through form submissions, they can stage a serialized payload containing crafted PHP objects. When the application later renders a view that calls old(), form_helper functions, or returns via RedirectResponse::withInput(), the framework invokes unserialize() on the attacker-controlled blob. This triggers PHP object instantiation and magic methods such as __wakeup, __destruct, and __toString, enabling a property-oriented programming (POP) chain across auto-loadable classes shipped with the application or its dependencies.
Root Cause
The root cause is the use of PHP unserialize() on untrusted, attacker-influenced input within the input redisplay path. The framework treated flashdata as trusted state, yet its contents originated from user-submitted form fields.
Attack Vector
An attacker submits a crafted form payload that the application persists into session flashdata via the input redisplay mechanism. On the subsequent request, the application calls old() or related helpers, deserializing the payload. Given a suitable POP gadget chain in the loaded classes, the attacker achieves SQL injection or arbitrary code execution within the PHP runtime context. Refer to the GitHub Security Advisory GHSA-w6jr-wj64-mc9x for additional details.
// No verified public exploit code is available.
// See the upstream advisory and patch commit for technical specifics.
Detection Methods for CVE-2022-21647
Indicators of Compromise
- Form submissions containing serialized PHP payloads beginning with O:, a:, or s: markers in fields not expected to contain serialized data.
- Session flashdata entries containing unexpected object signatures referencing application classes or third-party library classes.
- Web server access logs showing POST requests with abnormally large or base64-like form values targeting routes that issue redirects with input.
- Unexpected SQL queries originating from request handlers that invoke old() or form_helper functions.
Detection Strategies
- Inspect HTTP request bodies for serialized PHP object signatures using a web application firewall or reverse proxy filter.
- Audit application code for use of old(), form_helper, RedirectResponse::withInput(), and redirect()->withInput() on CodeIgniter4 builds older than 4.1.6.
- Correlate PHP error logs for unexpected class autoloads or magic method invocations following form submissions.
Monitoring Recommendations
- Enable verbose logging of session flashdata writes and reads in non-production environments to baseline expected content.
- Monitor outbound database queries for anomalous statements emitted shortly after redirect-with-input flows.
- Track installed CodeIgniter4 versions across application inventories and alert on any instance below 4.1.6.
How to Mitigate CVE-2022-21647
Immediate Actions Required
- Upgrade CodeIgniter4 to version 4.1.6 or later across all environments.
- Audit application code for direct or indirect calls to old(), form_helper, RedirectResponse::withInput(), and redirect()->withInput().
- Invalidate active session data after upgrading to purge any attacker-staged serialized payloads from flashdata stores.
Patch Information
The maintainers fixed the issue in CodeIgniter4 4.1.6. The remediation is shipped in commit ce95ed5765256e2f09f3513e7d42790e0d6948f5, which removes the unsafe deserialization path used by the input redisplay helpers. Full disclosure is available in the CodeIgniter4 Security Advisory GHSA-w6jr-wj64-mc9x.
Workarounds
- If upgrade is not immediately feasible, stop using the old() function and the form_helper across views and controllers.
- Replace RedirectResponse::withInput() and redirect()->withInput() calls with explicit, type-validated repopulation logic.
- Restrict session storage backends to server-side stores and rotate session secrets after deploying mitigations.
# Upgrade CodeIgniter4 via Composer to the patched release
composer require codeigniter4/framework:^4.1.6
composer update codeigniter4/framework
php spark --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
