CVE-2025-54418

Name of the Vulnerable Software and Affected Versions CodeIgniter versions prior to 4.6.2

Description CodeIgniter is a PHP full-stack web framework susceptible to a command injection issue. The vulnerability impacts applications utilizing the ImageMagick handler (imagick) for image processing and either permitting file uploads with user-defined filenames processed via the resize() method or employing the text() method with user-controlled text or options. An attacker can exploit this by uploading a file with a malicious filename containing shell metacharacters, which are executed during image processing, or by providing malicious text content or options that are executed when adding text to images. Approximately 2,254,632 systems are potentially affected worldwide.

Recommendations Upgrade to version 4.6.2 or later to receive a patch. As a workaround, switch to the GD image handler (gd), which is not affected. For file upload scenarios, generate random filenames using getRandomName() with the move() method, or use the store() method, which automatically generates safe filenames. For text operations, sanitize user-controlled text input to allow only safe characters and validate/restrict text options.