Command Injection Vulnerability in CodeIgniter Framework Affecting Image Processing
CVE-2025-54418

9.8CRITICAL

Key Information:

Vendor

Codeigniter4

Status
Codeigniter4
Vendor
CVE Published:
28 July 2025

What is CVE-2025-54418?

A command injection flaw exists in the CodeIgniter framework, impacting versions before 4.6.2. This vulnerability particularly affects applications that utilize the ImageMagick handler (imagick) for image processing. It allows attackers to manipulate file uploads by providing filenames containing shell metacharacters or controlling text input/options during image text rendering. If exploited, an attacker can execute arbitrary commands on the server. Users are encouraged to upgrade to version 4.6.2 or later to mitigate this risk. As an interim solution, switching to the GD image handler and implementing safe filename generation or input sanitization can significantly reduce the threat.

Affected Version(s)

CodeIgniter4 < 4.6.2

References

https://github.com/codeigniter4/CodeIgniter4/security/adv...
x_refsource_CONFIRM
https://github.com/codeigniter4/CodeIgniter4/commit/e1812...
x_refsource_MISC
https://cwe.mitre.org/data/definitions/78.html
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.