A newly-disclosed critical vulnerability in CodeIgniter4 (versions before 4.6.2) puts many websites and applications at risk of complete server compromise. The flaw, tracked as CVE-2025-54418 and rated CVSS 9.8 (Critical), affects systems using the ImageMagick (imagick) image handler for processing images.
The vulnerability stems from insufficient input sanitization in two commonly used image functions - resize() and text(). These functions can be tricked into executing system commands if they are given specially-crafted input:
Since ImageMagick operates at the system level for advanced image manipulation, any injected command runs with the same permissions as the web server, giving attackers the ability to steal data, modify content, or even take the server offline.
This is a remote unauthenticated vulnerability, meaning an attacker does not need an account, password, or any special access to exploit the flaw. They can exploit a vulnerable application that accepts image uploads or applies text to images simply by sending a malicious file or crafted text input.
The risk level is significant given the high CVSS score, the fact that exploitation requires no user interaction, and the wide use of CodeIgniter4 in public-facing applications. Attackers could automate scanning for vulnerable sites and exploit them at scale.
The recommended action is to update immediately to the patched CodeIgniter4 version 4.6.2 or later. If updating is not immediately possible, the following temporary measures can reduce risk:
Holm Security is actively working on detection capabilities for CVE-2025-54418. A dedicated plugin will be released as soon as testing is complete to help identify vulnerable systems in customer environments.