A critical vulnerability, designated CVE-2025-54418, was identified within the ImageMagick handler of CodeIgniter4, potentially leaving millions of web applications susceptible to command injection attacks.
The vulnerability was assigned a CVSS score of 9.8, signifying the utmost severity and an urgent threat to compromised systems. It affects CodeIgniter4 versions preceding 4.6.2 that utilize the ImageMagick handler.
Exploitation can occur when malicious filenames or text within uploaded content lead to the execution of arbitrary system commands. Developers are advised to upgrade to version 4.6.2 or switch to the GD handler for immediate protection.
The vulnerability's details were released to the GitHub Advisory Database on July 28, 2025. Its critical severity stems from the potential for full system compromise.
Notably, the exploit requires no prior authentication and can be performed remotely with minimal effort, posing a significant risk to applications accessible via the internet.
The CVSS v3.1 vector string, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, underscores its maximum potential impact on confidentiality, integrity, and availability.
In response, CodeIgniter4 developers have promptly issued version 4.6.2 as an emergency patch. Organizations employing vulnerable versions are strongly urged to upgrade without delay to avert potential exploitation.