Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

GHSA-ghw3-5qvm-3mqc

GitHub Security Advisory

CodeIgniter4 allows spoofing of IP address when using proxy

✓ GitHub Reviewed HIGH Has CVE

Advisory Details

### Impact
This vulnerability may allow attackers to spoof their IP address when your server is behind a reverse proxy.

### Patches
Upgrade to v4.2.11 or later, and configure `Config\App::$proxyIPs`.

### Workarounds
Do not use `$request->getIPAddress()`.

### References
- https://codeigniter4.github.io/userguide/incoming/request.html#CodeIgniter\HTTP\Request::getIPAddress

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [codeigniter4/CodeIgniter4](https://github.com/codeigniter4/CodeIgniter4/issues)
* Email us at [SECURITY.md](https://github.com/codeigniter4/CodeIgniter4/blob/develop/SECURITY.md)

Affected Packages

Packagist codeigniter4/framework

Affected versions: 0 (fixed in 4.2.11)

Related CVEs

CVE-2022-23556

Key Information

GHSA ID

GHSA-ghw3-5qvm-3mqc

Published

December 22, 2022 7:59 PM

Last Modified

December 22, 2022 7:59 PM

CVSS Score

7.5 /10

Primary Ecosystem

Packagist

Primary Package

codeigniter4/framework

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 12, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.