CVE-2025-52994: phpThumb is vulnerable to Command Injection through its gif_outputAsJpeg function

July 11, 2025

gif_outputAsJpeg in phpThumb through 1.7.23 allows phpthumb.gif.php OS Command Injection via a crafted parameter value. This is fixed in 1.7.23-202506081709.

References

github.com/JamesHeinrich/phpThumb
github.com/JamesHeinrich/phpThumb/commit/cdcbc206ae601b15fd17e7aadf59df51149a0e82
github.com/JamesHeinrich/phpThumb/releases
github.com/advisories/GHSA-q745-cfqh-hcrw
nvd.nist.gov/vuln/detail/CVE-2025-52994
safety-online.pl/cve-2025-52994

Code Behaviors & Features

Detect and mitigate CVE-2025-52994 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →