Headline
GHSA-9952-gv64-x94c: CodeIgniter4's ImageMagick Handler has Command Injection Vulnerability
Impact
This vulnerability affects applications that:
- Use the ImageMagick handler for image processing (
imagickas the image library) - AND either:
- Allow file uploads with user-controlled filenames and process uploaded images using the
resize()method - OR use the
text()method with user-controlled text content or options
- Allow file uploads with user-controlled filenames and process uploaded images using the
An attacker can:
- Upload a file with a malicious filename containing shell metacharacters that get executed when the image is processed
- OR provide malicious text content or options that get executed when adding text to images
Patches
Upgrade to v4.6.2 or later.
Workarounds
- Switch to the GD image handler (
gd, the default handler), which is not affected by either vulnerability - For file upload scenarios: Instead of using user-provided filenames, generate random names to eliminate the attack vector with
getRandomName()when using themove()method, or use thestore()method, which automatically generates safe filenames - For text operations: If you must use ImageMagick with user-controlled text, sanitize the input to only allow safe characters:
preg_replace('/[^a-zA-Z0-9\s.,!?-]/', '', $text)and validate/restrict text options
References
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-54418
CodeIgniter4’s ImageMagick Handler has Command Injection Vulnerability
Critical severity GitHub Reviewed Published Jul 26, 2025 in codeigniter4/CodeIgniter4 • Updated Jul 28, 2025
Package
composer codeigniter4/framework (Composer)
Affected versions
< 4.6.2
Impact
This vulnerability affects applications that:
- Use the ImageMagick handler for image processing (imagick as the image library)
- AND either:
- Allow file uploads with user-controlled filenames and process uploaded images using the resize() method
- OR use the text() method with user-controlled text content or options
An attacker can:
- Upload a file with a malicious filename containing shell metacharacters that get executed when the image is processed
- OR provide malicious text content or options that get executed when adding text to images
Patches
Upgrade to v4.6.2 or later.
Workarounds
- Switch to the GD image handler (gd, the default handler), which is not affected by either vulnerability
- For file upload scenarios: Instead of using user-provided filenames, generate random names to eliminate the attack vector with getRandomName() when using the move() method, or use the store() method, which automatically generates safe filenames
- For text operations: If you must use ImageMagick with user-controlled text, sanitize the input to only allow safe characters: preg_replace('/[^a-zA-Z0-9\s.,!?-]/’, '’, $text) and validate/restrict text options
References
- OWASP Command Injection Prevention
- CWE-78: OS Command Injection
References
- GHSA-9952-gv64-x94c
- https://nvd.nist.gov/vuln/detail/CVE-2025-54418
- codeigniter4/CodeIgniter4@e18120b
- https://cwe.mitre.org/data/definitions/78.html
- https://owasp.org/www-community/attacks/Command_Injection
Published to the GitHub Advisory Database
Jul 28, 2025
Last updated
Jul 28, 2025