A major security flaw has been detected in the popular PHP framework CodeIgniter4. The tag of a critical vulnerability, CVE-2025-54418, was officially disclosed on July 26, 2025, targeting users with file upload attacks that could compromise millions of web applications worldwide.
The vulnerability affects CodeIgniter4, specifically versions prior to 4.6.2, and has received a maximum severity rating based on the CVSS v3.1 scoring system: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high risk in terms of confidentiality, integrity, and availability. This means attackers require no privileges or user interaction to exploit the flaw, making it especially dangerous.
What Is CVE-2025-54418?
According to the official GitHub advisory, CVE-2025-54418 is a command injection vulnerability in CodeIgniter4’s ImageMagick handler, part of its image processing component. Applications that rely on ImageMagick for image manipulation, particularly through the resize() and text() methods, are at risk, especially if they accept user-controlled input such as filenames or text content.
Quoting the advisory, “CodeIgniter4’s ImageMagick Handler has Command Injection Vulnerability,” and further explains that an attacker can upload files with malicious filenames containing shell metacharacters, which may be executed when the image is processed. Alternatively, malicious text content supplied by users to the text() method can trigger the same result.
Who Is Affected?
Any application built with CodeIgniter4 that uses:
- ImageMagick (imagick) as the image library, and
- Accepts user-uploaded files with controllable filenames, or
- Processes user-supplied text via the text() method
These conditions create an opening for an attacker to run arbitrary commands on the host system, potentially leading to a full system compromise.
The Fix and Workarounds
To address this CodeIgniter vulnerability, the framework’s maintainers have released a patch in version 4.6.2. All developers are strongly encouraged to upgrade immediately to this version or later.
For those unable to upgrade, several workarounds have been suggested:
- Switch to the GD image handler (the default handler), which is not affected by this issue.
- Avoid using user-provided filenames. Instead, use secure alternatives like getRandomName() or store(), which generate safe filenames automatically.
- If user-controlled text input is essential, sanitize it rigorously using regular expressions like:
preg_replace(‘/[^a-zA-Z0-9\s.,!?-]/’, ”, $text) - Additionally, all text options should be validated to ensure safety.
Conclusion
The recently disclosed CodeIgniter vulnerability, CVE-2025-54418, was reported by GitHub user @vicevirus, with a fix implemented under the guidance of CodeIgniter4 maintainer @paulbalandan. Cataloged in the GitHub advisory database as GHSA-9952-gv64-x94c, this critical flaw highlights the ongoing cybersecurity risks posed by file upload attacks in modern web development.
Despite CodeIgniter’s historically strong security record, this incident again puts us back in the same position where even the most well-maintained frameworks like CodeIgniter4 are not immune to serious threats, particularly when user input and powerful tools like ImageMagick are involved.
Developers are urged to act promptly by upgrading to version 4.6.2 or applying the recommended mitigations, ensuring proper input validation and avoiding unsafe defaults. Proactive steps now are essential to protect systems from exploitation and maintain the integrity of applications built with CodeIgniter4.
