Cyber Resilience

CVE-2025-54418

CriticalRCE

Published: 28 July 2025

Published
28 July 2025
Modified
05 August 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0388 88.5th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54418 is a critical-severity OS Command Injection (CWE-78) vulnerability in Codeigniter Codeigniter. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

CodeIgniter is a PHP full-stack web framework that contains a command injection vulnerability in versions prior to 4.6.2. The flaw resides in the ImageMagick image processing handler when applications invoke the resize method on uploaded files whose names are under user control or invoke the text method with attacker-supplied content or options. Successful exploitation results in arbitrary operating-system command execution and is assigned CWE-78 and a CVSS score of 9.8.

An unauthenticated remote attacker can supply a crafted filename containing shell metacharacters during a file upload that is later resized, or can supply malicious strings through the text API. Either action causes the ImageMagick handler to execute the embedded commands, granting the attacker full control over the confidentiality, integrity, and availability of the affected application.

The GitHub security advisory and associated commit recommend upgrading to CodeIgniter 4.6.2 or later. As immediate workarounds, administrators can switch to the unaffected GD handler, generate random filenames with getRandomName or store instead of accepting user-supplied names, or sanitize all text and option inputs passed to ImageMagick.

The EPSS score remains flat at 0.0388 with no observed rise after disclosure.

EU & UK References

Vulnerability details

CodeIgniter is a PHP full-stack web framework. A command injection vulnerability present in versions prior to 4.6.2 affects applications that use the ImageMagick handler for image processing (`imagick` as the image library) and either allow file uploads with user-controlled filenames…

more

and process uploaded images using the `resize()` method or use the `text()` method with user-controlled text content or options. An attacker can upload a file with a malicious filename containing shell metacharacters that get executed when the image is processed or provide malicious text content or options that get executed when adding text to images Users should upgrade to v4.6.2 or later to receive a patch. As a workaround, switch to the GD image handler (`gd`, the default handler), which is not affected by either vulnerability. For file upload scenarios, instead of using user-provided filenames, generate random names to eliminate the attack vector with `getRandomName()` when using the `move()` method, or use the `store()` method, which automatically generates safe filenames. For text operations, if one must use ImageMagick with user-controlled text, sanitize the input to only allow safe characters and validate/restrict text options.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in public-facing CodeIgniter web app enables remote exploitation (T1190) and direct arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-42454Shared CWE-78
CVE-2026-34796Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2025-50475Shared CWE-78
CVE-2024-57015Shared CWE-78
CVE-2026-36828Shared CWE-78
CVE-2024-57595Shared CWE-78
CVE-2026-25196Shared CWE-78
CVE-2024-50566Shared CWE-78
CVE-2026-23592Shared CWE-78

Affected Assets

codeigniter
codeigniter
4.0.0 — 4.6.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of flaws by upgrading to CodeIgniter v4.6.2 or later, which patches the command injection vulnerability in ImageMagick handling.

prevent

Mandates validation of user-controlled inputs such as filenames and text content to sanitize shell metacharacters before processing with ImageMagick's resize() or text() methods.

prevent

Enforces least functionality by prohibiting or restricting the vulnerable ImageMagick (imagick) handler, defaulting to the unaffected GD library.

References