CVE-2022-23556:
CodeIgniter4 allows spoofing of IP address when using proxy
7
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.21404%
CWE
Published
12/22/2022
Updated
2/1/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
codeigniter4/framework | composer | < 4.2.11 | 4.2.11 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from how getIPAddress() handled proxy IP validation. Pre-patch versions allowed $proxyIPs to be configured as a string/comma-list, which led to insufficient verification of client IP headers. The method checked multiple headers (X-Forwarded-For, Client-IP, etc.) without properly validating whether the connecting proxy itself was trusted, enabling IP spoofing if the server was behind a reverse proxy. The commit 5ca8c99 fundamentally changed $proxyIPs to require explicit proxy-IP-to-header mappings, and added validation checks that were previously missing.