A crucial safety vulnerability has been found in CodeIgniter4’s ImageMagick handler, exposing probably hundreds of thousands of internet purposes to command injection assaults by malicious file uploads.
The vulnerability, tracked as CVE-2025-54418, obtained a CVSS rating of 9.8, indicating the best severity stage and fast danger to affected techniques.
Key Takeaways1. Crucial vulnerability in CodeIgniter4 2. Malicious filenames/textual content in uploads execute system instructions.3. Improve to 4.6.2 or use GD handler.
CodeIgniter Command Injection Vulnerability
GitHub reviews that the command injection vulnerability in CodeIgniter4’s ImageMagick handler permits attackers to execute arbitrary system instructions on weak servers.
The flaw, categorized underneath CWE-78 (OS Command Injection), impacts all CodeIgniter4 purposes working variations previous to 4.6.2 that make the most of the ImageMagick library for picture processing operations.
The vulnerability was revealed to the GitHub Advisory Database on July 28, 2025, and has been assigned crucial severity attributable to its potential for full system compromise.
The assault requires no authentication and may be executed remotely with low complexity, making it significantly harmful for internet-facing purposes.
The CVSS v3.1 vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H signifies most influence throughout confidentiality, integrity, and availability.
The vulnerability manifests by two major assault vectors inside purposes that use the ImageMagick handler (imagick because the picture library).
The primary assault vector exploits the resize() methodology when processing uploaded photographs with user-controlled filenames containing shell metacharacters that execute throughout picture processing.
The second vector targets the textual content() methodology, the place malicious content material or choices supplied by customers may end up in command execution when including textual content overlays to pictures.
Attackers can craft malicious filenames or textual content parameters that get away of the meant ImageMagick command context and execute arbitrary shell instructions on the underlying server.
This kind of vulnerability is especially regarding as a result of it bypasses conventional enter validation mechanisms that target file content material somewhat than metadata like filenames.
Threat FactorsDetailsAffected ProductsCodeIgniter4 Framework, all variations ImpactCommand Injection – Full system compromiseExploit Conditions– ImageMagick handler enabled (imagick library)- File uploads with user-controlled filenames OR- Textual content operations with user-controlled contentCVSS 3.1 Score9.8 (Crucial)
Patch Accessible
CodeIgniter4 builders have launched model 4.6.2 as an emergency patch to deal with this crucial vulnerability. Organizations working affected variations ought to instantly improve to stop potential exploitation.
For environments the place fast patching just isn’t possible, a number of workarounds can be found to scale back danger publicity.
The simplest short-term mitigation entails switching from the ImageMagick handler to the GD picture handler (gd), which serves as CodeIgniter4’s default and stays unaffected by this vulnerability.
For file add situations, builders ought to implement the getRandomName() methodology when utilizing transfer() or make the most of the shop() methodology that routinely generates safe filenames.
Functions utilizing textual content operations ought to sanitize consumer enter utilizing patterns like preg_replace(‘/[^a-zA-Z0-9s.,!?-]/’, ”, $textual content) to eradicate harmful characters.
Combine ANY.RUN TI Lookup along with your SIEM or SOAR To Analyses Superior Threats -> Attempt 50 Free Trial Searches
