CVE-2025-54418
Published: 28 July 2025
Summary
CVE-2025-54418 is a critical-severity OS Command Injection (CWE-78) vulnerability in Codeigniter Codeigniter. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Deeper analysis
CodeIgniter is a PHP full-stack web framework that contains a command injection vulnerability in versions prior to 4.6.2. The flaw resides in the ImageMagick image processing handler when applications invoke the resize method on uploaded files whose names are under user control or invoke the text method with attacker-supplied content or options. Successful exploitation results in arbitrary operating-system command execution and is assigned CWE-78 and a CVSS score of 9.8.
An unauthenticated remote attacker can supply a crafted filename containing shell metacharacters during a file upload that is later resized, or can supply malicious strings through the text API. Either action causes the ImageMagick handler to execute the embedded commands, granting the attacker full control over the confidentiality, integrity, and availability of the affected application.
The GitHub security advisory and associated commit recommend upgrading to CodeIgniter 4.6.2 or later. As immediate workarounds, administrators can switch to the unaffected GD handler, generate random filenames with getRandomName or store instead of accepting user-supplied names, or sanitize all text and option inputs passed to ImageMagick.
The EPSS score remains flat at 0.0388 with no observed rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22914
Vulnerability details
CodeIgniter is a PHP full-stack web framework. A command injection vulnerability present in versions prior to 4.6.2 affects applications that use the ImageMagick handler for image processing (`imagick` as the image library) and either allow file uploads with user-controlled filenames…
more
and process uploaded images using the `resize()` method or use the `text()` method with user-controlled text content or options. An attacker can upload a file with a malicious filename containing shell metacharacters that get executed when the image is processed or provide malicious text content or options that get executed when adding text to images Users should upgrade to v4.6.2 or later to receive a patch. As a workaround, switch to the GD image handler (`gd`, the default handler), which is not affected by either vulnerability. For file upload scenarios, instead of using user-provided filenames, generate random names to eliminate the attack vector with `getRandomName()` when using the `move()` method, or use the `store()` method, which automatically generates safe filenames. For text operations, if one must use ImageMagick with user-controlled text, sanitize the input to only allow safe characters and validate/restrict text options.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in public-facing CodeIgniter web app enables remote exploitation (T1190) and direct arbitrary Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of flaws by upgrading to CodeIgniter v4.6.2 or later, which patches the command injection vulnerability in ImageMagick handling.
Mandates validation of user-controlled inputs such as filenames and text content to sanitize shell metacharacters before processing with ImageMagick's resize() or text() methods.
Enforces least functionality by prohibiting or restricting the vulnerable ImageMagick (imagick) handler, defaulting to the unaffected GD library.