CVE-2025-54418

Description

### Impact This vulnerability affects applications that: * Use the ImageMagick handler for image processing (`imagick` as the image library) * **AND** either: * Allow file uploads with user-controlled filenames and process uploaded images using the `resize()` method * **OR** use the `text()` method with user-controlled text content or options An attacker can: * Upload a file with a malicious filename containing shell metacharacters that get executed when the image is processed * **OR** provide malicious text content or options that get executed when adding text to images ### Patches Upgrade to v4.6.2 or later. ### Workarounds * **Switch to the GD image handler** (`gd`, the default handler), which is not affected by either vulnerability * **For file upload scenarios**: Instead of using user-provided filenames, generate random names to eliminate the attack vector with `getRandomName()` when using the `move()` method, or use the `store()` method, which automatically generates safe filenames * **For text operations**: If you must use ImageMagick with user-controlled text, sanitize the input to only allow safe characters: `preg_replace('/[^a-zA-Z0-9\s.,!?-]/', '', $text)` and validate/restrict text options ### References * [OWASP Command Injection Prevention](https://owasp.org/www-community/attacks/Command_Injection) * [CWE-78: OS Command Injection](https://cwe.mitre.org/data/definitions/78.html)

Affected packages (1)

• Packagist/codeigniter4/frameworkfrom 0, < 4.6.2

CVSS scores

References (6)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-54418
• PATCHhttps://github.com/codeigniter4/CodeIgniter4
• WEBhttps://cwe.mitre.org/data/definitions/78.html
• WEBhttps://github.com/codeigniter4/CodeIgniter4/commit/e18120bff1da691e1d15ffc1bf553ae7411762c0
• WEBhttps://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-9952-gv64-x94c
• WEBhttps://owasp.org/www-community/attacks/Command_Injection