Overview
A recently identified vulnerability, CVE-2025-54418, has been discovered in the PHP full-stack web framework, CodeIgniter. This vulnerability can lead to command injection attacks, potentially compromising systems or leading to data leakage. It specifically affects applications that use the ImageMagick handler (`imagick` as the image library) for image processing and allow file uploads with user-controlled filenames or use user-controlled text content or options. As such, all organizations and developers using affected versions of CodeIgniter need to be aware of the risks and take immediate action to secure their systems.
Vulnerability Summary
CVE ID: CVE-2025-54418
Severity: Critical (9.8)
Attack Vector: Remote
Privileges Required: None
User Interaction: Required
Impact: Command injection leading to potential system compromise or data leakage
Affected Products
Escape the Surveillance Era
Most apps won’t tell you the truth.
They’re part of the problem.
Phone numbers. Emails. Profiles. Logs.
It’s all fuel for surveillance.
Ameeba Chat gives you a way out.
- • No phone number
- • No email
- • No personal info
- • Anonymous aliases
- • End-to-end encrypted
Chat without a trace.
Product | Affected Versions
CodeIgniter | versions prior to 4.6.2
How the Exploit Works
The vulnerability arises due to the way CodeIgniter handles image processing with ImageMagick. If an application uses the `resize()` method to process uploaded images with user-controlled filenames or the `text()` method with user-controlled text content or options, an attacker can exploit this vulnerability.
The attacker can upload a file with a malicious filename containing shell metacharacters that get executed when the image is processed. Alternatively, they can provide malicious text content or options that get executed when adding text to images. This can lead to command injection attacks, potentially compromising the entire system or leading to data leakage.
Conceptual Example Code
The following is a conceptual example of a malicious filename that an attacker could use to exploit this vulnerability:
'; rm -rf /;'.jpgIf an application uses this filename to process an image, the shell command `rm -rf /` would be executed, deleting all files on the system.
Recommendations
Users should upgrade to CodeIgniter version 4.6.2 or later to receive a patch that fixes this vulnerability. Alternatively, they can switch to the GD image handler (`gd`, the default handler), which is not affected by this vulnerability.
For file upload scenarios, users should generate random names to eliminate the attack vector with `getRandomName()` when using the `move()` method, or use the `store()` method, which automatically generates safe filenames. For text operations, if one must use ImageMagick with user-controlled text, sanitize the input to only allow safe characters and validate/restrict text options.
In addition, deploying a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can serve as temporary mitigation against this vulnerability.