CVE-2025-54418

Published Jul 28, 2025

Last updated 5 days ago

CodeIgniter

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-54418 is a command injection vulnerability affecting CodeIgniter4 applications that use the ImageMagick handler for image processing, specifically versions prior to 4.6.2. It allows attackers to execute arbitrary system commands on vulnerable servers. This vulnerability exists if the application allows file uploads with user-controlled filenames and processes the uploaded images using the `resize()` method, or if the application uses the `text()` method with user-controlled content or options. There are two primary attack vectors: uploading files with malicious filenames containing shell metacharacters that are executed during image processing, and exploiting the `text()` method by injecting malicious content or options when adding text overlays to images. To mitigate this vulnerability, users should upgrade to version 4.6.2 or later. As a workaround, switching to the GD image handler or generating random names for uploaded files can eliminate the attack vector.

Description: CodeIgniter is a PHP full-stack web framework. A command injection vulnerability present in versions prior to 4.6.2 affects applications that use the ImageMagick handler for image processing (`imagick` as the image library) and either allow file uploads with user-controlled filenames and process uploaded images using the `resize()` method or use the `text()` method with user-controlled text content or options. An attacker can upload a file with a malicious filename containing shell metacharacters that get executed when the image is processed or provide malicious text content or options that get executed when adding text to images Users should upgrade to v4.6.2 or later to receive a patch. As a workaround, switch to the GD image handler (`gd`, the default handler), which is not affected by either vulnerability. For file upload scenarios, instead of using user-provided filenames, generate random names to eliminate the attack vector with `getRandomName()` when using the `move()` method, or use the `store()` method, which automatically generates safe filenames. For text operations, if one must use ImageMagick with user-controlled text, sanitize the input to only allow safe characters and validate/restrict text options.
Source: security-advisories@github.com
NVD status: Awaiting Analysis

Insights

Analysis from the Intruder Security Team

Published Jul 30, 2025 Updated Jul 31, 2025

For this vulnerability to be exploitable, the ImageMagick image processing library needs to be used to resize or add a text watermark to a user-uploaded file which was saved using a user-provided filename, or where the parameters for adding a watermark are user-controlled. File upload implementations that use a randomly generated filename before image resizing are not vulnerable.

This vulnerability is simple to exploit and we expect to see active exploitation soon. However, attackers will need to locate file upload functionality within your applications first which will be difficult to fully automate at scale, so mass exploitation is unlikely.

Risk scores

CVSS 3.1

Type: Secondary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

security-advisories@github.com: CWE-78

Hype score: Not currently trending

References

Sources include official advisories and independent security research.