CVE-2025-54418 Overview
CVE-2025-54418 is a critical command injection vulnerability affecting CodeIgniter, a PHP full-stack web framework. The vulnerability exists in the ImageMagick handler for image processing and impacts applications that use imagick as their image library. Exploitation occurs when applications allow file uploads with user-controlled filenames and process those images using the resize() method, or when using the text() method with user-controlled text content or options.
An attacker can upload a file with a malicious filename containing shell metacharacters that get executed when the image is processed. Alternatively, attackers can provide malicious text content or options that get executed when adding text to images. This command injection vulnerability allows for arbitrary command execution on the underlying server, potentially leading to complete system compromise.
Critical Impact
Unauthenticated remote attackers can execute arbitrary system commands on vulnerable CodeIgniter applications using the ImageMagick handler, potentially leading to full server compromise, data exfiltration, and lateral movement within the network.
Affected Products
- CodeIgniter versions prior to 4.6.2
- Applications using imagick as the image library handler
- Systems processing user-uploaded images via the resize() method or using text() with user-controlled input
Discovery Timeline
- 2025-07-28 - CVE-2025-54418 published to NVD
- 2025-08-05 - Last updated in NVD database
Technical Details for CVE-2025-54418
Vulnerability Analysis
This command injection vulnerability is classified under CWE-78: Improper Neutralization of Special Elements used in an OS Command. The vulnerability stems from improper input sanitization in the ImageMagickHandler.php file, where user-controlled filenames and parameters are passed directly to shell commands without proper escaping.
The attack can be executed remotely over the network without requiring any authentication or user interaction. When exploited, an attacker gains the ability to execute arbitrary commands with the privileges of the web server process, potentially leading to complete confidentiality, integrity, and availability compromise of the affected system.
Root Cause
The root cause of CVE-2025-54418 lies in the ImageMagickHandler.php file where source and destination file paths were concatenated directly into shell commands using string interpolation with double quotes. The vulnerable code constructed the ImageMagick resize command by wrapping file paths in escaped double quotes (\") rather than using PHP's escapeshellarg() function to properly sanitize shell metacharacters.
This allowed attackers to inject arbitrary shell commands through specially crafted filenames containing metacharacters such as backticks, semicolons, or command substitution sequences that break out of the quoted context and execute additional commands.
Attack Vector
The attack vector for CVE-2025-54418 is network-based and requires no authentication. An attacker can exploit this vulnerability through the following attack path:
- Identify a CodeIgniter application using the ImageMagick handler (imagick) for image processing
- Upload a file with a malicious filename containing shell metacharacters (e.g., image$(whoami).jpg or image\id`.png`)
- Trigger the image processing functionality that calls the resize() method
- The shell metacharacters in the filename are executed as system commands
Alternatively, if the application uses the text() method with user-controlled input, attackers can inject commands through the text content or options parameters.
The following patch demonstrates how the vulnerability was fixed by implementing proper shell argument escaping:
}
$action = $maintainRatio
- ? ' -resize ' . ($this->width ?? 0) . 'x' . ($this->height ?? 0) . ' "' . $source . '" "' . $destination . '"'
- : ' -resize ' . ($this->width ?? 0) . 'x' . ($this->height ?? 0) . "{$escape}! \"" . $source . '" "' . $destination . '"';
+ ? ' -resize ' . ($this->width ?? 0) . 'x' . ($this->height ?? 0) . ' ' . escapeshellarg($source) . ' ' . escapeshellarg($destination)
+ : ' -resize ' . ($this->width ?? 0) . 'x' . ($this->height ?? 0) . "{$escape}! " . escapeshellarg($source) . ' ' . escapeshellarg($destination);
$this->process($action);
Source: GitHub CodeIgniter4 Commit
The fix replaces the vulnerable string concatenation with double quotes to use escapeshellarg(), which properly escapes all shell metacharacters in the source and destination file paths.
Detection Methods for CVE-2025-54418
Indicators of Compromise
- Unusual process spawning from web server processes (e.g., www-data or apache user executing shell commands)
- Image filenames containing shell metacharacters such as backticks, $(), semicolons, or pipe characters in upload directories
- Web server error logs showing ImageMagick command execution failures or unexpected command output
- Unexpected outbound network connections from the web server process
- Newly created files or modified system configurations without administrative action
Detection Strategies
- Monitor web application upload directories for filenames containing shell metacharacters ($, backticks, ;, |, &)
- Implement file integrity monitoring on CodeIgniter application directories to detect unauthorized modifications
- Deploy web application firewalls (WAF) with rules to detect command injection patterns in file upload requests
- Analyze HTTP request logs for suspicious filename patterns in file upload endpoints
- Configure process monitoring to alert on unusual child processes spawned by PHP/web server processes
Monitoring Recommendations
- Enable detailed logging for file upload operations including original and sanitized filenames
- Configure SIEM rules to correlate image processing operations with subsequent command execution events
- Implement real-time alerting for ImageMagick process invocations with unexpected command-line arguments
- Monitor for reconnaissance commands commonly executed post-exploitation (e.g., whoami, id, uname)
How to Mitigate CVE-2025-54418
Immediate Actions Required
- Upgrade CodeIgniter to version 4.6.2 or later immediately
- If immediate upgrade is not possible, switch to the GD image handler (gd) which is not affected by this vulnerability
- Audit all file upload functionality to ensure user-provided filenames are not used directly
- Review and sanitize any user-controlled input passed to the text() method
Patch Information
CodeIgniter has released version 4.6.2 which addresses this command injection vulnerability. The patch implements proper shell argument escaping using PHP's escapeshellarg() function for all user-controlled values passed to ImageMagick commands.
Users should upgrade to version 4.6.2 or later to receive the security fix. The patch is available in the GitHub CodeIgniter4 Commit. For complete details, refer to the GitHub Security Advisory GHSA-9952.
Workarounds
- Switch to the GD image handler (gd, the default handler) which is not affected by this vulnerability
- For file upload scenarios, use getRandomName() with the move() method to generate safe random filenames instead of user-provided names
- Use the store() method which automatically generates safe filenames for uploaded files
- For text operations requiring ImageMagick with user-controlled text, implement strict input sanitization allowing only safe characters
- Validate and restrict text options to a predefined whitelist of safe values
# Configuration example - Switch to GD handler in app/Config/Images.php
# Change the default handler from 'imagick' to 'gd'
public string $defaultHandler = 'gd';
# For file uploads, use getRandomName() instead of user filename
$file->move(WRITEPATH . 'uploads', $file->getRandomName());
# Or use store() which auto-generates safe filenames
$file->store();
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
