CVE-2025-54418: 
PHP vulnerability analysis and mitigation

A command injection vulnerability (CVE-2025-54418) was discovered in CodeIgniter, a PHP full-stack web framework, affecting versions 4.0.0 through 4.6.2. The vulnerability is present in applications that use the ImageMagick handler for image processing and either allow file uploads with user-controlled filenames that are processed using the resize() method, or use the text() method with user-controlled text content or options. The vulnerability was disclosed on July 28, 2025 (NVD, GitHub Advisory).

The vulnerability allows attackers to execute arbitrary OS commands through shell metacharacters injected in filenames or text content. The issue stems from improper neutralization of special elements used in OS commands. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating a critical severity level with network attack vector, low attack complexity, and no required privileges or user interaction (GitHub Advisory).

If exploited, this vulnerability allows attackers to execute arbitrary operating system commands with the privileges of the vulnerable application. This could lead to complete system compromise, including unauthorized access to sensitive data, system modification, and potential service disruption (GitHub Advisory).

Users should upgrade to CodeIgniter version 4.6.2 or later to receive the patch. As workarounds, users can switch to the GD image handler (gd, the default handler), which is not affected by the vulnerability. For file upload scenarios, instead of using user-provided filenames, generate random names using getRandomName() or use the store() method. For text operations with ImageMagick, input should be sanitized to only allow safe characters and text options should be validated and restricted (NVD, GitHub Advisory).