What is the CodeIgniter4 critical vulnerability CVE-2025-54418?

CodeIgniter4 has patched a critical command injection vulnerability (CVE-2025-54418, CVSS score 10.0) in its ImageMagick image processing handler. The vulnerability allows unauthenticated attackers to execute arbitrary system commands on affected web applications through malicious file uploads and text processing operations due to insufficient input sanitization.

Which CodeIgniter4 versions are affected by CVE-2025-54418?

The vulnerability affects all CodeIgniter4 applications running versions prior to 4.6.2 that use the ImageMagick library for image processing operations. Any application using ImageMagick as the image handler in these versions is potentially vulnerable to command injection attacks.

What are the attack vectors for the CodeIgniter4 vulnerability?

There are two main attack vectors: First, uploading files with filenames containing shell metacharacters that get executed when processing images using CodeIgniter's resize() method. Second, exploiting the text() method when user-controlled content or options are passed for adding text overlays to images, allowing malicious content to be executed during ImageMagick operations.

How does the filename attack vector work in CodeIgniter4?

The filename attack vector involves uploading files with filenames containing shell metacharacters. When the application processes these images using CodeIgniter's resize() method, the malicious filenames break out of the intended ImageMagick command context and execute arbitrary shell commands on the server with the same privileges as the web server process.

How does the text() method attack work in CodeIgniter4?

The text() method attack exploits situations where user-controlled content or options are passed for adding text overlays to images. Attackers can provide malicious text content or options that get executed when the application attempts to add text to images through ImageMagick operations, leading to command injection.

Is there a patch available for CodeIgniter4 CVE-2025-54418?

Yes, CodeIgniter4 developers have released version 4.6.2 as an emergency patch to address CVE-2025-54418. All users running affected versions should immediately update to CodeIgniter4 version 4.6.2 or later to protect against this critical command injection vulnerability.

What workarounds are available if immediate patching is not possible?

Several workarounds are available: switch from the ImageMagick handler to the GD image handler (gd), which is unaffected by this vulnerability; implement filename generation controls using CodeIgniter's getRandomName() method or switch to the store() method for automatic safe filename generation; apply input sanitization using regular expressions to remove dangerous characters from user input.

Is the GD image handler affected by this CodeIgniter4 vulnerability?

No, the GD image handler (gd) is completely unaffected by CVE-2025-54418. The GD handler is CodeIgniter4's default image processing library and remains secure. Switching from ImageMagick to GD is an effective workaround for applications that cannot immediately update to version 4.6.2.

What input sanitization can prevent the CodeIgniter4 vulnerability?

Input sanitization using regular expressions can help prevent exploitation. For example, using preg_replace('/[^a-zA-Z0-9\s.,!?-]/', '', $text) to remove potentially dangerous characters from user-controlled text input before passing it to ImageMagick operations can reduce the risk of command injection attacks.

How can developers secure file uploads in CodeIgniter4?

Developers can secure file uploads by implementing filename generation controls such as using CodeIgniter's getRandomName() method when utilizing the move() method for file uploads, or switching to the store() method, which automatically generates safe, random filenames that eliminate the malicious filename attack vector entirely.

What should CodeIgniter4 developers do immediately about CVE-2025-54418?

CodeIgniter4 developers should immediately update to version 4.6.2 or later to patch CVE-2025-54418. If immediate patching is not possible, they should implement workarounds such as switching to the GD image handler, using secure filename generation methods, and applying input sanitization to user-controlled content before processing with ImageMagick.

Advisory

Critical command injection flaw reported in CodeIgniter4 ImageMagick handler

Q: How severe is the CodeIgniter4 CVE-2025-54418 vulnerability?

CVE-2025-54418 has a CVSS score of 10.0, which represents the maximum possible severity rating. This critical vulnerability allows unauthenticated attackers to execute arbitrary system commands, making it extremely dangerous for any affected CodeIgniter4 application using ImageMagick for image processing.

published: July 29, 2025

Take action: If you're running CodeIgniter4 applications that process images, update to version 4.6.2. If you can't update right away, switch from ImageMagick to the GD image handler, use CodeIgniter's getRandomName() method for file uploads and sanitization of input with regular expressions to eliminate dangerous characters.

Learn More

CodeIgniter4 has patched a critical command injection vulnerability in its ImageMagick image processing handler that could allow unauthenticated attackers to execute arbitrary system commands on affected web applications through malicious file uploads and text processing operations.

The vulnerability is tracked as CVE-2025-54418 (CVSS score 10.0) and is caused by insufficient input sanitization in CodeIgniter4's ImageMagick integration. The vulnerability occurs when applications allow file uploads with user-controlled filenames and process uploaded images using the resize() method, or when using the text() method with user-controlled text content or options.

The first attack vector involves uploading files with filenames containing shell metacharacters that get executed when the application processes images using CodeIgniter's resize() method. During image processing operations, these malicious filenames break out of the intended ImageMagick command context and execute arbitrary shell commands on the underlying server with the same privileges as the web server process.
The second attack path exploits the text() method when user-controlled content or options are passed for adding text overlays to images. Attackers can provide malicious text content or options that get executed when the application attempts to add text to images through ImageMagick operations.

The flaw affects all CodeIgniter4 applications running versions prior to 4.6.2 that use the ImageMagick library for image processing operations.

CodeIgniter4 developers have released version 4.6.2 as an emergency patch.

For environments where immediate patching is not feasible, several effective workarounds are available to reduce risk exposure:

switching from the ImageMagick handler to the GD image handler (gd), which is CodeIgniter4's default image processing library and remains completely unaffected by this vulnerability.
implementing filename generation controls like CodeIgniter's getRandomName() method when utilizing the move() method for file uploads, or switch to the store() method, which automatically generates safe, random filenames that eliminate the attack vector entirely.
input sanitization using regular expressions such as preg_replace('/[^a-zA-Z0-9\s.,!?-]/', '', $text) to remove potentially dangerous characters.

Critical command injection flaw reported in CodeIgniter4 ImageMagick handler

Read More
Critical SQL Injection flaw reported in ADOdb PHP …
Critical vulnerabilities in Gogs open-source Git service
JetBrains TeamCity under active attack by hackers, patch …
Critical directory traversal vulnerability reported in React Router …
Critical authentication bypass flaw reported in AI coding …