Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN476
_____________________________________________________________________

DATE                : 30/07/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running CodeIgniter4 versions prior to
                                            4.6.1.

=====================================================================
https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-9952-gv64-x94c
_____________________________________________________________________


Command Injection Vulnerability in ImageMagick Handler
Critical
paulbalandan published GHSA-9952-gv64-x94c Jul 26, 2025

Package
codeigniter4/framework (Composer)

Affected versions
< 4.6.1

Patched versions
4.6.2


Description

Impact

This vulnerability affects applications that:

    Use the ImageMagick handler for image processing (imagick as
    the image library)
    AND either:
        Allow file uploads with user-controlled filenames and
    process uploaded images using the resize() method
        OR use the text() method with user-controlled text content
    or options


An attacker can:

    Upload a file with a malicious filename containing shell
    metacharacters that get executed when the image is processed
    OR provide malicious text content or options that get executed
    when adding text to images


Patches

Upgrade to v4.6.2 or later.
Workarounds

    Switch to the GD image handler (gd, the default handler), which
    is not affected by either vulnerability
    For file upload scenarios: Instead of using user-provided
    filenames, generate random names to eliminate the attack vector
    with getRandomName() when using the move() method, or use the store()
    method, which automatically generates safe filenames
    For text operations: If you must use ImageMagick with user-controlled
    text, sanitize the input to only allow safe characters:
    preg_replace('/[^a-zA-Z0-9\s.,!?-]/', '', $text) and validate/restrict text options


References

    OWASP Command Injection Prevention
    CWE-78: OS Command Injection


Severity
Critical
9.8/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE ID
CVE-2025-54418

Weaknesses
Weakness CWE-78


Credits

    @vicevirus vicevirus Reporter



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================