GHSA-9952-gv64-x94c
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9952-gv64-x94c
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-9952-gv64-x94c/GHSA-9952-gv64-x94c.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9952-gv64-x94c
- Aliases
- Published
- 2025-07-28T16:08:20Z
- Modified
- 2025-07-28T16:57:16.639171Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- CodeIgniter4's ImageMagick Handler has Command Injection Vulnerability
- Details
-
Impact
This vulnerability affects applications that: * Use the ImageMagick handler for image processing (
imagickas the image library) * AND either: * Allow file uploads with user-controlled filenames and process uploaded images using theresize()method * OR use thetext()method with user-controlled text content or optionsAn attacker can: * Upload a file with a malicious filename containing shell metacharacters that get executed when the image is processed * OR provide malicious text content or options that get executed when adding text to images
Patches
Upgrade to v4.6.2 or later.
Workarounds
- Switch to the GD image handler (
gd, the default handler), which is not affected by either vulnerability - For file upload scenarios: Instead of using user-provided filenames, generate random names to eliminate the attack vector with
getRandomName()when using themove()method, or use thestore()method, which automatically generates safe filenames - For text operations: If you must use ImageMagick with user-controlled text, sanitize the input to only allow safe characters:
preg_replace('/[^a-zA-Z0-9\s.,!?-]/', '', $text)and validate/restrict text options
References
- Switch to the GD image handler (
- Database specific
{ "cwe_ids": [ "CWE-78" ], "severity": "CRITICAL", "nvd_published_at": "2025-07-28T15:15:26Z", "github_reviewed_at": "2025-07-28T16:08:20Z", "github_reviewed": true }- References
-
- https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-9952-gv64-x94c
- https://nvd.nist.gov/vuln/detail/CVE-2025-54418
- https://github.com/codeigniter4/CodeIgniter4/commit/e18120bff1da691e1d15ffc1bf553ae7411762c0
- https://cwe.mitre.org/data/definitions/78.html
- https://github.com/codeigniter4/CodeIgniter4
- https://owasp.org/www-community/attacks/Command_Injection
Affected packages
Packagist / codeigniter4/framework
Package
- Name
- codeigniter4/framework
- Purl
- pkg:composer/codeigniter4/framework
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.6.2
Affected versions
v4.*
v4.0.0-alpha.3
v4.0.0-alpha.4
v4.0.0-alpha.5
v4.0.0-beta.1
v4.0.0-beta.2
v4.0.0-beta.3
v4.0.0-beta.4
v4.0.0-rc.1
v4.0.0-rc.2
v4.0.0-rc.2.1
v4.0.0-rc.3
v4.0.1
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.1.0
v4.1.1
v4.1.2
v4.1.3
v4.1.4
v4.1.5
v4.1.6
v4.1.7
v4.1.8
v4.1.9
v4.2.0
v4.2.1
v4.2.2
v4.2.3
v4.2.4
v4.2.5
v4.2.6
v4.2.7
v4.2.8
v4.2.9
v4.2.10
v4.2.11
v4.2.12
v4.3.0
v4.3.1
v4.3.2
v4.3.3
v4.3.4
v4.3.5
v4.3.6
v4.3.7
v4.3.8
v4.4.0
v4.4.1
v4.4.2
v4.4.3
v4.4.4
v4.4.5
v4.4.6
v4.4.7
v4.4.8
v4.5.0
v4.5.1
v4.5.2
v4.5.3
v4.5.4
v4.5.5
v4.5.6
v4.5.7
v4.5.8
v4.6.0
v4.6.1
4.*
4.0.0-rc.4
4.0.0