CodeIgniter Vulnerability Exposes Million of Webapps to File Upload Attacks
A critical security vulnerability has been discovered in CodeIgniter4’s ImageMagick handler, exposing potentially millions of web applications to command injection attacks through malicious file uploads.
The vulnerability, tracked as CVE-2025-54418, received a CVSS score of 9.8, indicating the highest severity level and immediate risk to affected systems.
Key Takeaways
1. Critical vulnerability in CodeIgniter4 <4.6.2 ImageMagick handler.
2. Malicious filenames/text in uploads execute system commands.
3. Upgrade to 4.6.2 or use GD handler.
CodeIgniter Command Injection Vulnerability
GitHub reports that the command injection vulnerability in CodeIgniter4’s ImageMagick handler allows attackers to execute arbitrary system commands on vulnerable servers.
The flaw, classified under CWE-78 (OS Command Injection), affects all CodeIgniter4 applications running versions prior to 4.6.2 that utilize the ImageMagick library for image processing operations.
The vulnerability was published to the GitHub Advisory Database on July 28, 2025, and has been assigned critical severity due to its potential for complete system compromise.
The attack requires no authentication and can be executed remotely with low complexity, making it particularly dangerous for internet-facing applications.
The CVSS v3.1 vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H indicates maximum impact across confidentiality, integrity, and availability.
The vulnerability manifests through two primary attack vectors within applications that use the ImageMagick handler (imagick as the image library).
The first attack vector exploits the resize() method when processing uploaded images with user-controlled filenames containing shell metacharacters that execute during image processing.
The second vector targets the text() method, where malicious content or options provided by users can result in command execution when adding text overlays to images.
Attackers can craft malicious filenames or text parameters that break out of the intended ImageMagick command context and execute arbitrary shell commands on the underlying server.
This type of vulnerability is particularly concerning because it bypasses traditional input validation mechanisms that focus on file content rather than metadata like filenames.
| Risk Factors | Details |
| Affected Products | CodeIgniter4 Framework, all versions < 4.6.2 |
| Impact | Command Injection – Complete system compromise |
| Exploit Prerequisites | – ImageMagick handler enabled (imagick library)- File uploads with user-controlled filenames OR- Text operations with user-controlled content |
| CVSS 3.1 Score | 9.8 (Critical) |
Patch Available
CodeIgniter4 developers have released version 4.6.2 as an emergency patch to address this critical vulnerability. Organizations running affected versions should immediately upgrade to prevent potential exploitation.
For environments where immediate patching is not feasible, several workarounds are available to reduce risk exposure.
The most effective temporary mitigation involves switching from the ImageMagick handler to the GD image handler (gd), which serves as CodeIgniter4’s default and remains unaffected by this vulnerability.
For file upload scenarios, developers should implement the getRandomName() method when using move() or utilize the store() method that automatically generates secure filenames.
Applications using text operations should sanitize user input using patterns like preg_replace(‘/[^a-zA-Z0-9s.,!?-]/’, ”, $text) to eliminate dangerous characters.
Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches
Source link
