CVE-2025-54418
CodeIgniter4's ImageMagick Handler has Command Injection Vulnerability
Description
### Impact This vulnerability affects applications that: * Use the ImageMagick handler for image processing (`imagick` as the image library) * **AND** either: * Allow file uploads with user-controlled filenames and process uploaded images using the `resize()` method * **OR** use the `text()` method with user-controlled text content or options An attacker can: * Upload a file with a malicious filename containing shell metacharacters that get executed when the image is processed * **OR** provide malicious text content or options that get executed when adding text to images ### Patches Upgrade to v4.6.2 or later. ### Workarounds * **Switch to the GD image handler** (`gd`, the default handler), which is not affected by either vulnerability * **For file upload scenarios**: Instead of using user-provided filenames, generate random names to eliminate the attack vector with `getRandomName()` when using the `move()` method, or use the `store()` method, which automatically generates safe filenames * **For text operations**: If you must use ImageMagick with user-controlled text, sanitize the input to only allow safe characters: `preg_replace('/[^a-zA-Z0-9\s.,!?-]/', '', $text)` and validate/restrict text options ### References * [OWASP Command Injection Prevention](https://owasp.org/www-community/attacks/Command_Injection) * [CWE-78: OS Command Injection](https://cwe.mitre.org/data/definitions/78.html)
How to fix CVE-2025-54418
To remediate CVE-2025-54418, upgrade the affected package to a fixed version below.
- —upgrade to 4.6.2 or later
Is CVE-2025-54418 being exploited?
Low — EPSS is 3.9%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 4.6.2