CVE-2025-54418
CodeIgniter ImageMagick Command Injection Vulnerability
Description
CodeIgniter is a PHP full-stack web framework. A command injection vulnerability present in versions prior to 4.6.2 affects applications that use the ImageMagick handler for image processing (`imagick` as the image library) and either allow file uploads with user-controlled filenames and process uploaded images using the `resize()` method or use the `text()` method with user-controlled text content or options. An attacker can upload a file with a malicious filename containing shell metacharacters that get executed when the image is processed or provide malicious text content or options that get executed when adding text to images Users should upgrade to v4.6.2 or later to receive a patch. As a workaround, switch to the GD image handler (`gd`, the default handler), which is not affected by either vulnerability. For file upload scenarios, instead of using user-provided filenames, generate random names to eliminate the attack vector with `getRandomName()` when using the `move()` method, or use the `store()` method, which automatically generates safe filenames. For text operations, if one must use ImageMagick with user-controlled text, sanitize the input to only allow safe characters and validate/restrict text options.
INFO
Published Date :
July 28, 2025, 3:15 p.m.
Last Modified :
Aug. 5, 2025, 3:46 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | [email protected] |
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-54418.
| URL | Resource |
|---|---|
| https://cwe.mitre.org/data/definitions/78.html | Not Applicable |
| https://github.com/codeigniter4/CodeIgniter4/commit/e18120bff1da691e1d15ffc1bf553ae7411762c0 | Patch |
| https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-9952-gv64-x94c | Vendor Advisory Mitigation |
| https://owasp.org/www-community/attacks/Command_Injection | Not Applicable |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-54418 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-54418
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-54418 vulnerability anywhere in the article.
-
The Cyber Express
CVE-2025-8355 & CVE-2025-8356: Xerox Issues Urgent Fixes for SSRF and RCE Bugs
Xerox Corporation has issued urgent security updates addressing two high-impact vulnerabilities in its FreeFlow Core software. The flaws, now tracked as CVE-2025-8355 and CVE-2025-8356, have the poten ... Read more
-
The Cyber Express
Microsoft to Pull Plug on Shared EWS Access in Hybrid Exchange by October
Organizations using Exchange hybrid deployments should prepare for new changes taking effect over the next few months. Microsoft has announced that beginning in August 2025, it will temporarily block ... Read more
-
The Cyber Express
WordPress AI Engine Plugin Bug Allows Remote Code Execution – Update Now
A security flaw affecting over 100,000 WordPress websites has been discovered in the AI Engine plugin, specifically impacting versions 2.9.3 and 2.9.4. The vulnerability, classified as an arbitrary fi ... Read more
-
The Cyber Express
iOS 18.6 to macOS 15.6: Apple Releases Comprehensive Security Updates
Apple has rolled out a wide-ranging series of Apple security updates and Rapid Security Responses, spanning iOS, iPadOS, macOS, tvOS, watchOS, and visionOS. These carefully coordinated Apple security ... Read more
-
The Cyber Express
CodeIgniter4 Flaw CVE-2025-54418 Enables Remote Code Execution via File Uploads
A major security flaw has been detected in the popular PHP framework CodeIgniter4. The tag of a critical vulnerability, CVE-2025-54418, was officially disclosed on July 26, 2025, targeting users with ... Read more
-
CybersecurityNews
Critical CodeIgniter Vulnerability Exposes Million of Webapps to File Upload Attacks
A critical security vulnerability has been discovered in CodeIgniter4’s ImageMagick handler, exposing potentially millions of web applications to command injection attacks through malicious file uploa ... Read more
The following table lists the changes that have been made to the
CVE-2025-54418 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Aug. 05, 2025
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:a:codeigniter:codeigniter:*:*:*:*:*:*:*:* versions from (including) 4.0.0 up to (excluding) 4.6.2 Added Reference Type GitHub, Inc.: https://cwe.mitre.org/data/definitions/78.html Types: Not Applicable Added Reference Type GitHub, Inc.: https://github.com/codeigniter4/CodeIgniter4/commit/e18120bff1da691e1d15ffc1bf553ae7411762c0 Types: Patch Added Reference Type GitHub, Inc.: https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-9952-gv64-x94c Types: Mitigation, Vendor Advisory Added Reference Type GitHub, Inc.: https://owasp.org/www-community/attacks/Command_Injection Types: Not Applicable -
New CVE Received by [email protected]
Jul. 28, 2025
Action Type Old Value New Value Added Description CodeIgniter is a PHP full-stack web framework. A command injection vulnerability present in versions prior to 4.6.2 affects applications that use the ImageMagick handler for image processing (`imagick` as the image library) and either allow file uploads with user-controlled filenames and process uploaded images using the `resize()` method or use the `text()` method with user-controlled text content or options. An attacker can upload a file with a malicious filename containing shell metacharacters that get executed when the image is processed or provide malicious text content or options that get executed when adding text to images Users should upgrade to v4.6.2 or later to receive a patch. As a workaround, switch to the GD image handler (`gd`, the default handler), which is not affected by either vulnerability. For file upload scenarios, instead of using user-provided filenames, generate random names to eliminate the attack vector with `getRandomName()` when using the `move()` method, or use the `store()` method, which automatically generates safe filenames. For text operations, if one must use ImageMagick with user-controlled text, sanitize the input to only allow safe characters and validate/restrict text options. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CWE CWE-78 Added Reference https://cwe.mitre.org/data/definitions/78.html Added Reference https://github.com/codeigniter4/CodeIgniter4/commit/e18120bff1da691e1d15ffc1bf553ae7411762c0 Added Reference https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-9952-gv64-x94c Added Reference https://owasp.org/www-community/attacks/Command_Injection