logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-54418 codeigniter4/framework

Package

Manager: composer
Name: codeigniter4/framework
Vulnerable Version: >=0 <4.6.2

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00396 pctl0.59647

Details

CodeIgniter4's ImageMagick Handler has Command Injection Vulnerability ### Impact This vulnerability affects applications that: * Use the ImageMagick handler for image processing (`imagick` as the image library) * **AND** either: * Allow file uploads with user-controlled filenames and process uploaded images using the `resize()` method * **OR** use the `text()` method with user-controlled text content or options An attacker can: * Upload a file with a malicious filename containing shell metacharacters that get executed when the image is processed * **OR** provide malicious text content or options that get executed when adding text to images ### Patches Upgrade to v4.6.2 or later. ### Workarounds * **Switch to the GD image handler** (`gd`, the default handler), which is not affected by either vulnerability * **For file upload scenarios**: Instead of using user-provided filenames, generate random names to eliminate the attack vector with `getRandomName()` when using the `move()` method, or use the `store()` method, which automatically generates safe filenames * **For text operations**: If you must use ImageMagick with user-controlled text, sanitize the input to only allow safe characters: `preg_replace('/[^a-zA-Z0-9\s.,!?-]/', '', $text)` and validate/restrict text options ### References * [OWASP Command Injection Prevention](https://owasp.org/www-community/attacks/Command_Injection) * [CWE-78: OS Command Injection](https://cwe.mitre.org/data/definitions/78.html)

Metadata

Created: 2025-07-28T16:08:20Z
Modified: 2025-07-28T16:08:20Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-9952-gv64-x94c/GHSA-9952-gv64-x94c.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-9952-gv64-x94c
Finding: F404
Auto approve: 1