CVE-2025-54418

Shells in Your Selfies: CodeIgniter 4 ImageMagick RCE

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 1, 2026·5 min read·7 visits

Executive Summary (TL;DR)

CodeIgniter 4 versions before 4.6.2 failed to sanitize inputs when wrapping the ImageMagick CLI. By uploading an image with a carefully crafted filename or using the text overlay feature, an attacker can break out of the command string and execute arbitrary shell commands on the server.

A critical OS Command Injection vulnerability in CodeIgniter 4's ImageMagick handler allows unauthenticated attackers to achieve Remote Code Execution (RCE) via malicious filenames or text overlays.

Official Patches

CodeIgniterOfficial Upgrade Guide

Fix Analysis (1)

Technical Appendix

CVSS Score
9.8/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Probability
0.25%
Top 100% most exploited
2,200,000
via BuiltWith / Shodan

Affected Systems

CodeIgniter 4 Framework

Affected Versions Detail

Product
Affected Versions
Fixed Version
CodeIgniter 4
CodeIgniter Foundation
< 4.6.24.6.2
AttributeDetail
CWE IDCWE-78 (OS Command Injection)
CVSS v3.19.8 (Critical)
Attack VectorNetwork
Privileges RequiredNone
User InteractionNone
ImpactRemote Code Execution (RCE)

MITRE ATT&CK Mapping

T1059.004Command and Scripting Interpreter: Unix Shell
Execution
T1190Exploit Public-Facing Application
Initial Access
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command.

Known Exploits & Detection

Manual ResearchResearchers demonstrated RCE by uploading files with shell metacharacters in the filename.

Vulnerability Timeline

Vulnerability discovered by researcher vicevirus
2025-07-01
Reported to CodeIgniter Foundation
2025-07-15
CodeIgniter v4.6.2 released with patch
2025-07-28