CVE-2025-54418: CodeIgniter4's ImageMagick Handler has Command Injection Vulnerability
This vulnerability affects applications that:
- Use the ImageMagick handler for image processing (
imagickas the image library) - AND either:
- Allow file uploads with user-controlled filenames and process uploaded images using the
resize()method - OR use the
text()method with user-controlled text content or options
An attacker can:
- Upload a file with a malicious filename containing shell metacharacters that get executed when the image is processed
- OR provide malicious text content or options that get executed when adding text to images
References
- cwe.mitre.org/data/definitions/78.html
- github.com/advisories/GHSA-9952-gv64-x94c
- github.com/codeigniter4/CodeIgniter4
- github.com/codeigniter4/CodeIgniter4/commit/e18120bff1da691e1d15ffc1bf553ae7411762c0
- github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-9952-gv64-x94c
- nvd.nist.gov/vuln/detail/CVE-2025-54418
- owasp.org/www-community/attacks/Command_Injection
Code Behaviors & Features
Detect and mitigate CVE-2025-54418 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →