CVE-2025-54418

Published Jul 28, 2025

Last updated 8 months ago

CVSS critical 9.8
CodeIgniter

Overview

Description
CodeIgniter is a PHP full-stack web framework. A command injection vulnerability present in versions prior to 4.6.2 affects applications that use the ImageMagick handler for image processing (`imagick` as the image library) and either allow file uploads with user-controlled filenames and process uploaded images using the `resize()` method or use the `text()` method with user-controlled text content or options. An attacker can upload a file with a malicious filename containing shell metacharacters that get executed when the image is processed or provide malicious text content or options that get executed when adding text to images Users should upgrade to v4.6.2 or later to receive a patch. As a workaround, switch to the GD image handler (`gd`, the default handler), which is not affected by either vulnerability. For file upload scenarios, instead of using user-provided filenames, generate random names to eliminate the attack vector with `getRandomName()` when using the `move()` method, or use the `store()` method, which automatically generates safe filenames. For text operations, if one must use ImageMagick with user-controlled text, sanitize the input to only allow safe characters and validate/restrict text options.
Source
security-advisories@github.com
NVD status
Analyzed
Products
codeigniter

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security-advisories@github.com
CWE-78

Social media

Hype score
Not currently trending

  1. Critical CodeIgniter4 Vulnerability CVE-2025-54418 #CISO https://t.co/QPEfohPTdY

    @compuchris

    31 Jul 2025

    38 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨CVE-2025-54418: CodeIgniter4's ImageMagick Handler has Command Injection Vulnerability FOFA Query: app="CodeIgniter-PHP-Framework" Results: 2,254,632 FOFA: https://t.co/nNF6k73cmY CVSS: 9.8 Advisory: https://t.co/d7sZIDiBs4 https://t.co/72utqjP4jo

    @DarkWebInformer

    30 Jul 2025

    5053 Impressions

    26 Retweets

    79 Likes

    24 Bookmarks

    0 Replies

    0 Quotes

  3. CodeIgniter4のImageMagickハンドラにおいて、致命的なコマンドインジェクションの脆弱性(CVE-2025-54418)が発見された。CVSSスコアは最大の10.0であり、認証なし・ユーザー操作なしで任意のコマンドを実行できる重

    @yousukezan

    29 Jul 2025

    1313 Impressions

    1 Retweet

    8 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  4. ⚠️⚠️ CVE-2025-54418: CodeIgniter has Command Injection Vulnerability 🎯2.2m+ Results are found on the https://t.co/pb16tGXCUG nearly year 🔗FOFA Link:https://t.co/FYxWadIOr1 FOFA Query:app="CodeIgniter-PHP-Framework" 🔖Refer:https://t.co/pMZUeMvUNy #OSINT #FOFA #Cyb

    @fofabot

    29 Jul 2025

    3260 Impressions

    18 Retweets

    57 Likes

    27 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2025-54418 Command Injection in CodeIgniter ImageMagick Handler Versions Prior to 4.6.2 https://t.co/w0tzEBs6wK

    @VulmonFeeds

    28 Jul 2025

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2025-54418 CodeIgniter is a PHP full-stack web framework. A command injection vulnerability present in versions prior to 4.6.2 affects applications that use the ImageMagick hand… https://t.co/YYDRQkvjDW

    @CVEnew

    28 Jul 2025

    391 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. 🚨 CVE-2025-54418: Remote command injection in CodeIgniter’s ImageMagick handler lets attackers run shell commands without login. Upgrade to 4.6.2 or switch to the GD handler now! Full advisory ➡️ https://t.co/3U9vDiwyPW #CodeIgniter #infosec #AppSec

    @VolerionSec

    28 Jul 2025

    58 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. [CVE-2025-54418: CRITICAL] CodeIgniter users beware! A command injection vulnerability pre-4.6.2 in ImageMagick handler has been identified. Upgrade to 4.6.2, use GD handler, and sanitize user inputs.#cve,CVE-2025-54418,#cybersecurity https://t.co/JEVXZ1XInJ https://t.co/A3a3U6uZ

    @CveFindCom

    28 Jul 2025

    80 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. CodeIgniter is a PHP full-stack web framework. Prior to 4.5.8, CodeIgniter lacked proper header validation for its name and value. The potential attacker can construct deliberately malformed headers with Header class. This could disrupt application functionality, potentially causing errors or generating invalid HTTP requests. In some cases, these malformed requests might lead to a DoS scenario if a remote service’s web application firewall interprets them as malicious and blocks further communication with the application. This vulnerability is fixed in 4.5.8.CVE-2025-24013
  2. A Cross-Site Request Forgery (CSRF) in Codeigniter 3.1.13 allows attackers to arbitrarily change the Administrator password and escalate privileges.CVE-2024-41344
  3. CodeIgniter is a PHP full-stack web framework A vulnerability was found in the Language class that allowed DoS attacks. This vulnerability can be exploited by an attacker to consume a large amount of memory on the server. Upgrade to v4.4.7 or later. CVE-2024-29904

References

Sources include official advisories and independent security research.