GHSA-9952-gv64-x94c

Suggest an improvement
Source
https://github.com/advisories/GHSA-9952-gv64-x94c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-9952-gv64-x94c/GHSA-9952-gv64-x94c.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-9952-gv64-x94c
Aliases
Published
2025-07-28T16:08:20Z
Modified
2025-07-28T16:57:16.639171Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
CodeIgniter4's ImageMagick Handler has Command Injection Vulnerability
Details

Impact

This vulnerability affects applications that: * Use the ImageMagick handler for image processing (imagick as the image library) * AND either: * Allow file uploads with user-controlled filenames and process uploaded images using the resize() method * OR use the text() method with user-controlled text content or options

An attacker can: * Upload a file with a malicious filename containing shell metacharacters that get executed when the image is processed * OR provide malicious text content or options that get executed when adding text to images

Patches

Upgrade to v4.6.2 or later.

Workarounds

  • Switch to the GD image handler (gd, the default handler), which is not affected by either vulnerability
  • For file upload scenarios: Instead of using user-provided filenames, generate random names to eliminate the attack vector with getRandomName() when using the move() method, or use the store() method, which automatically generates safe filenames
  • For text operations: If you must use ImageMagick with user-controlled text, sanitize the input to only allow safe characters: preg_replace('/[^a-zA-Z0-9\s.,!?-]/', '', $text) and validate/restrict text options

References

Database specific
{
    "github_reviewed_at": "2025-07-28T16:08:20Z",
    "nvd_published_at": "2025-07-28T15:15:26Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-78"
    ],
    "severity": "CRITICAL"
}
References

Affected packages

Packagist / codeigniter4/framework

Package

Name
codeigniter4/framework
Purl
pkg:composer/codeigniter4/framework

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.6.2

Affected versions

v4.*

v4.0.0-alpha.3
v4.0.0-alpha.4
v4.0.0-alpha.5
v4.0.0-beta.1
v4.0.0-beta.2
v4.0.0-beta.3
v4.0.0-beta.4
v4.0.0-rc.1
v4.0.0-rc.2
v4.0.0-rc.2.1
v4.0.0-rc.3
v4.0.1
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.1.0
v4.1.1
v4.1.2
v4.1.3
v4.1.4
v4.1.5
v4.1.6
v4.1.7
v4.1.8
v4.1.9
v4.2.0
v4.2.1
v4.2.2
v4.2.3
v4.2.4
v4.2.5
v4.2.6
v4.2.7
v4.2.8
v4.2.9
v4.2.10
v4.2.11
v4.2.12
v4.3.0
v4.3.1
v4.3.2
v4.3.3
v4.3.4
v4.3.5
v4.3.6
v4.3.7
v4.3.8
v4.4.0
v4.4.1
v4.4.2
v4.4.3
v4.4.4
v4.4.5
v4.4.6
v4.4.7
v4.4.8
v4.5.0
v4.5.1
v4.5.2
v4.5.3
v4.5.4
v4.5.5
v4.5.6
v4.5.7
v4.5.8
v4.6.0
v4.6.1

4.*

4.0.0-rc.4
4.0.0