chore(deps): update dependency codeigniter4/framework to v4.6.2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
codeigniter4/framework (source)	4.4.3 → 4.6.2

GitHub Vulnerability Alerts

CVE-2024-29904

Impact

A vulnerability was found in the Language class that allowed DoS attacks. This vulnerability can be exploited by an attacker to consume a large amount of memory on the server.

Patches

Upgrade to v4.4.7 or later. See upgrading guide.

Workarounds

• Disabling Auto Routing prevents a known attack vector in the framework.
• Do not pass invalid values to the lang() function or Language class.

References

• https://codeigniter4.github.io/userguide/outgoing/localization.html#language-localization
• https://codeigniter4.github.io/userguide/general/common_functions.html#lang

CVE-2025-24013

Impact

Lack of proper header validation for its name and value. The potential attacker can construct deliberately malformed headers with Header class. This could disrupt application functionality, potentially causing errors or generating invalid HTTP requests. In some cases, these malformed requests might lead to a DoS scenario if a remote service’s web application firewall interprets them as malicious and blocks further communication with the application.

Patches

Upgrade to v4.5.8 or later.

Workarounds

Validate HTTP header keys and/or values if using user-supplied values before passing them to Header class.

Differences from CVE-2023-29197

1. Affected Software:

   • CVE-2023-29197 specifically addresses a vulnerability in the guzzlehttp/psr7 library.
   • The reported issue in this Security Advisory is within the CodeIgniter4 framework and does not depend on or use the guzzlehttp/psr7 library.

2. Root Cause and Implementation:

   • The vulnerability reported arises from an issue in the Header class of CodeIgniter4, which is unrelated to the functionality or implementation of guzzlehttp/psr7.

3. Scope of Impact:

   • The vulnerability described in this Security Advisory affects applications built with the CodeIgniter4 framework, which does not use or rely on the guzzlehttp/psr7 library.

References

• https://datatracker.ietf.org/doc/html/rfc7230#section-3.2
• GHSA-wxmh-65f7-jcvw

CVE-2025-54418

Impact

This vulnerability affects applications that:

• Use the ImageMagick handler for image processing (imagick as the image library)
• AND either:
  • Allow file uploads with user-controlled filenames and process uploaded images using the resize() method
  • OR use the text() method with user-controlled text content or options

An attacker can:

• Upload a file with a malicious filename containing shell metacharacters that get executed when the image is processed
• OR provide malicious text content or options that get executed when adding text to images

Patches

Upgrade to v4.6.2 or later.

Workarounds

• Switch to the GD image handler (gd, the default handler), which is not affected by either vulnerability
• For file upload scenarios: Instead of using user-provided filenames, generate random names to eliminate the attack vector with getRandomName() when using the move() method, or use the store() method, which automatically generates safe filenames
• For text operations: If you must use ImageMagick with user-controlled text, sanitize the input to only allow safe characters: preg_replace('/[^a-zA-Z0-9\s.,!?-]/', '', $text) and validate/restrict text options

References

• OWASP Command Injection Prevention
• CWE-78: OS Command Injection

---

Release Notes

codeigniter4/framework (codeigniter4/framework)

v4.6.2: CodeIgniter 4.6.2

Compare Source

CodeIgniter 4.6.2 release.

See the changelog: https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md

Full Changelog: codeigniter4/CodeIgniter4@v4.6.1...v4.6.2

v4.6.1: CodeIgniter 4.6.1

Compare Source

CodeIgniter 4.6.1 release.

See the changelog: https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md

New Contributors

• @​Elias-Black made their first contribution in codeigniter4/CodeIgniter4#9485
• @​Franky5831 made their first contribution in codeigniter4/CodeIgniter4#9543

Full Changelog: codeigniter4/CodeIgniter4@v4.6.0...v4.6.1

v4.6.0: CodeIgniter 4.6.0

Compare Source

CodeIgniter 4.6.0 release.

See the changelog: https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md

New Contributors

• @​ducng99 made their first contribution in codeigniter4/CodeIgniter4#8979
• @​dimtrovich made their first contribution in codeigniter4/CodeIgniter4#9278
• @​murilohpucci made their first contribution in codeigniter4/CodeIgniter4#9371

Full Changelog: codeigniter4/CodeIgniter4@v4.5.8...v4.6.0

v4.5.8: CodeIgniter 4.5.8

Compare Source

CodeIgniter 4.5.8 release

See the changelog: https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md

New Contributors

• @​curiousteam made their first contribution in codeigniter4/CodeIgniter4#9398
• @​datlechin made their first contribution in codeigniter4/CodeIgniter4#9365

Full Changelog: codeigniter4/CodeIgniter4@v4.5.7...v4.5.8

v4.5.7: CodeIgniter 4.5.7

Compare Source

CodeIgniter 4.5.7 release.

See the changelog: https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md

Full Changelog: codeigniter4/CodeIgniter4@v4.5.6...v4.5.7

v4.5.6: CodeIgniter 4.5.6

Compare Source

CodeIgniter 4.5.6 release.

See the changelog: https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md

New Contributors

• @​CosDiabos made their first contribution in codeigniter4/CodeIgniter4#9246
• @​JulianAtkins made their first contribution in codeigniter4/CodeIgniter4#9287
• @​TechnoKaa made their first contribution in codeigniter4/CodeIgniter4#9297
• @​andifahruddinakas made their first contribution in codeigniter4/CodeIgniter4#9326

Full Changelog: codeigniter4/CodeIgniter4@v4.5.5...v4.5.6

v4.5.5: CodeIgniter 4.5.5

Compare Source

CodeIgniter 4.5.5 release.

See the changelog: https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md

New Contributors

• @​warcooft made their first contribution in codeigniter4/CodeIgniter4#9115
• @​eightrix made their first contribution in codeigniter4/CodeIgniter4#9172

Full Changelog: codeigniter4/CodeIgniter4@v4.5.4...v4.5.5

v4.5.4: CodeIgniter 4.5.4

Compare Source

CodeIgniter 4.5.4 release.

See the changelog: https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md

Full Changelog: codeigniter4/CodeIgniter4@v4.5.3...v4.5.4

v4.5.3: CodeIgniter 4.5.3

Compare Source

CodeIgniter 4.5.3 release.

See the changelog: https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md

Full Changelog: codeigniter4/CodeIgniter4@v4.5.2...v4.5.3

v4.5.2: CodeIgniter 4.5.2

Compare Source

CodeIgniter 4.5.2 release.

See the changelog: https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md

New Contributors

• @​sahilKhatik made their first contribution in codeigniter4/CodeIgniter4#8854

Full Changelog: codeigniter4/CodeIgniter4@v4.5.1...v4.5.2

v4.5.1

Compare Source

CodeIgniter 4.5.1 release.

See the changelog: https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md

New Contributors

• @​mcsaygili made their first contribution in codeigniter4/CodeIgniter4#8741

Full Changelog: codeigniter4/CodeIgniter4@v4.5.0...v4.5.1

v4.5.0: CodeIgniter 4.5.0

Compare Source

CodeIgniter 4.5.0 release.

See the changelog: https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md

Full Changelog: codeigniter4/CodeIgniter4@v4.4.8...v4.5.0

v4.4.8: CodeIgniter 4.4.8

Compare Source

CodeIgniter 4.4.8 release.

See the changelog: https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md

New Contributors

• @​mullernato made their first contribution in codeigniter4/CodeIgniter4#8691
• @​Pebryan354 made their first contribution in codeigniter4/CodeIgniter4#8709

Full Changelog: codeigniter4/CodeIgniter4@v4.4.7...v4.4.8

v4.4.7: CodeIgniter 4.4.7

Compare Source

CodeIgniter 4.4.7 release.

See the changelog: https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md

New Contributors

• @​rahmatnazali made their first contribution in codeigniter4/CodeIgniter4#8585
• @​markconnellypro made their first contribution in codeigniter4/CodeIgniter4#8599
• @​justbyitself made their first contribution in codeigniter4/CodeIgniter4#8618
• @​Cleric-K made their first contribution in codeigniter4/CodeIgniter4#8633

Full Changelog: codeigniter4/CodeIgniter4@v4.4.6...v4.4.7

v4.4.6: CodeIgniter 4.4.6

Compare Source

CodeIgniter 4.4.6 release.

See the changelog: https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md

New Contributors

• @​YapsBridging made their first contribution in codeigniter4/CodeIgniter4#8411

Full Changelog: codeigniter4/CodeIgniter4@v4.4.5...v4.4.6

v4.4.5: CodeIgniter 4.4.5

Compare Source

CodeIgniter 4.4.5 release.

See the changelog: https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md

New Contributors

• @​ALTITUDE-DEV-FR made their first contribution in codeigniter4/CodeIgniter4#8389
• @​jasonliang-dev made their first contribution in codeigniter4/CodeIgniter4#8407

Full Changelog: codeigniter4/CodeIgniter4@v4.4.4...v4.4.5

v4.4.4: CodeIgniter 4.4.4

Compare Source

CodeIgniter 4.4.4 release.

See the changelog: https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md

New Contributors

• @​gerpiet made their first contribution in codeigniter4/CodeIgniter4#8116
• @​webalchemist made their first contribution in codeigniter4/CodeIgniter4#8205
• @​il-coder made their first contribution in codeigniter4/CodeIgniter4#8255
• @​woodongwong made their first contribution in codeigniter4/CodeIgniter4#8288
• @​ThomasMeschke made their first contribution in codeigniter4/CodeIgniter4#8212

Full Changelog: codeigniter4/CodeIgniter4@v4.4.3...v4.4.4

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.