Cyber Posture

CVE-2025-54418

CriticalRCE

Published: 28 July 2025

Published
28 July 2025
Modified
05 August 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0078 73.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54418 is a critical-severity OS Command Injection (CWE-78) vulnerability in Codeigniter Codeigniter. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely remediation of flaws by upgrading to CodeIgniter v4.6.2 or later, which patches the command injection vulnerability in ImageMagick handling.

SI-10 Information Input Validation good match
prevent

Mandates validation of user-controlled inputs such as filenames and text content to sanitize shell metacharacters before processing with ImageMagick's resize() or text() methods.

CM-7 Least Functionality good match
prevent

Enforces least functionality by prohibiting or restricting the vulnerable ImageMagick (imagick) handler, defaulting to the unaffected GD library.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Command injection in public-facing CodeIgniter web app enables remote exploitation (T1190) and direct arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

CodeIgniter is a PHP full-stack web framework. A command injection vulnerability present in versions prior to 4.6.2 affects applications that use the ImageMagick handler for image processing (`imagick` as the image library) and either allow file uploads with user-controlled filenames…

more

and process uploaded images using the `resize()` method or use the `text()` method with user-controlled text content or options. An attacker can upload a file with a malicious filename containing shell metacharacters that get executed when the image is processed or provide malicious text content or options that get executed when adding text to images Users should upgrade to v4.6.2 or later to receive a patch. As a workaround, switch to the GD image handler (`gd`, the default handler), which is not affected by either vulnerability. For file upload scenarios, instead of using user-provided filenames, generate random names to eliminate the attack vector with `getRandomName()` when using the `move()` method, or use the `store()` method, which automatically generates safe filenames. For text operations, if one must use ImageMagick with user-controlled text, sanitize the input to only allow safe characters and validate/restrict text options.

Deeper analysisAI

CVE-2025-54418 is a command injection vulnerability (CWE-78) in CodeIgniter, a PHP full-stack web framework, affecting versions prior to 4.6.2. It impacts applications that use the ImageMagick handler (imagick as the image library) for image processing in specific scenarios: either allowing file uploads with user-controlled filenames followed by processing those images via the resize() method, or using the text() method with user-controlled text content or options. Published on 2025-07-28 with a CVSS v3.1 base score of 9.8 (Critical), the flaw enables shell metacharacters in filenames, text, or options to be executed during image manipulation.

Remote attackers without privileges can exploit this vulnerability over the network with low complexity. By uploading a file with a malicious filename containing shell metacharacters, an attacker triggers execution when the image is processed using resize(). Alternatively, providing malicious text content or options to the text() method leads to command injection during text overlay operations. Successful exploitation grants high confidentiality, integrity, and availability impacts, potentially allowing arbitrary code execution on the server.

The GitHub security advisory (GHSA-9952-gv64-x94c) and patch commit (e18120bff1da691e1d15ffc1bf553ae7411762c0) recommend upgrading to CodeIgniter v4.6.2 or later. Workarounds include switching to the GD image handler (default and unaffected). For file uploads, generate random filenames using getRandomName() with the move() method or use the store() method for automatic safe naming. For text operations with ImageMagick, sanitize inputs to safe characters and restrict/validate options.

Details

CWE(s)
CWE-78

Affected Products

codeigniter
codeigniter
4.0.0 — 4.6.2

CVEs Like This One

CVE-2026-25070Shared CWE-78
CVE-2026-34796Shared CWE-78
CVE-2025-27392Shared CWE-78
CVE-2025-64127Shared CWE-78
CVE-2026-3037Shared CWE-78
CVE-2025-56114Shared CWE-78
CVE-2026-41113Shared CWE-78
CVE-2026-23592Shared CWE-78
CVE-2026-5935Shared CWE-78
CVE-2026-41064Shared CWE-78

References