CVE-2025-54418: Shells in Your Selfies: CodeIgniter 4 ImageMagick RCE - CVE Security Report

CVE-2025-54418.md

CVE-2025-54418: Shells in Your Selfies: CodeIgniter 4 ImageMagick RCE

CVSS Score: 9.8 Published: 2025-07-28 Full Report: https://cvereports.com/reports/CVE-2025-54418

Summary

A critical OS Command Injection vulnerability in CodeIgniter 4's ImageMagick handler allows unauthenticated attackers to achieve Remote Code Execution (RCE) via malicious filenames or text overlays.

TL;DR

CodeIgniter 4 versions before 4.6.2 failed to sanitize inputs when wrapping the ImageMagick CLI. By uploading an image with a carefully crafted filename or using the text overlay feature, an attacker can break out of the command string and execute arbitrary shell commands on the server.

Exploit Status: POC

Technical Details

• CWE ID: CWE-78 (OS Command Injection)
• CVSS v3.1: 9.8 (Critical)
• Attack Vector: Network
• Privileges Required: None
• User Interaction: None
• Impact: Remote Code Execution (RCE)

Affected Systems

• CodeIgniter 4 Framework
• CodeIgniter 4: < 4.6.2 (Fixed in: 4.6.2)

Mitigation

• Upgrade to CodeIgniter 4.6.2 or later
• Switch Image Handler from 'imagick' to 'gd'
• Force random filenames for all uploads
• Sanitize all user input passed to image processing text functions

Remediation Steps:

1. Check app/Config/Images.php to see if $handler is set to imagick.
2. If using imagick, run composer update to pull the latest framework version.
3. Verify the update by checking system/Images/Handlers/ImageMagickHandler.php for escapeshellarg() usage.

References

• CodeIgniter 4 Security Advisory
• OWASP Command Injection Overview

---

Generated by CVEReports - Automated Vulnerability Intelligence