CVE-2025-54418
📋 TL;DR
This CVE describes a command injection vulnerability in CodeIgniter's ImageMagick handler that allows remote code execution. Applications using ImageMagiter with user-controlled filenames or text content are affected. Attackers can execute arbitrary commands on the server by uploading malicious files or providing crafted text inputs.
💻 Affected Systems
- CodeIgniter 4
📦 What is this software?
Codeigniter by Codeigniter
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise allowing attacker to execute arbitrary commands with web server privileges, potentially leading to data theft, system takeover, or lateral movement.
Likely Case
Remote code execution leading to web shell installation, data exfiltration, or server resource abuse.
If Mitigated
Limited impact with proper input validation and filename sanitization, potentially only causing image processing failures.
🎯 Exploit Status
Exploitation requires specific conditions but is straightforward when those conditions are met. No public exploit code is known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.6.2
Vendor Advisory: https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-9952-gv64-x94c
Restart Required: No
Instructions:
1. Update CodeIgniter to version 4.6.2 or later using composer: composer require codeigniter4/framework:^4.6.2
2. Clear any cached files and verify the update.
🔧 Temporary Workarounds
Switch to GD image handler
allChange from ImageMagick to GD library which is not vulnerable
In app/Config/Images.php, set $library = 'gd'
Use safe filename generation
allGenerate random filenames instead of using user-provided names
$file->getRandomName()
$file->store()
🧯 If You Can't Patch
- Switch to GD image handler immediately as temporary mitigation
- Implement strict input validation and sanitization for all user-controlled filenames and text inputs
🔍 How to Verify
Check if Vulnerable:
Check if using CodeIgniter <4.6.2 with ImageMagick handler and processing user-controlled filenames or textCheck Version:
composer show codeigniter4/framework | grep versionVerify Fix Applied:
Verify CodeIgniter version is 4.6.2 or higher and confirm ImageMagick handler is either not used or inputs are properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual ImageMagick command executions
- Shell commands in image processing logs
- Failed image processing with suspicious filenames
Network Indicators:
- Outbound connections from web server to unexpected destinations following image uploads
SIEM Query:
search 'ImageMagick' AND ('command injection' OR 'shell metacharacters' OR suspicious filename patterns) in web application logs