SCA: security update for codeigniter4/framework (GHSA-9952-gv64-x94c)

critical Tenable Self-Hosted Container Security Plugin ID 428636

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- CodeIgniter is a PHP full-stack web framework. A command injection vulnerability present in versions prior
to 4.6.2 affects applications that use the ImageMagick handler for image processing (`imagick` as the
image library) and either allow file uploads with user-controlled filenames and process uploaded images
using the `resize()` method or use the `text()` method with user-controlled text content or options. An
attacker can upload a file with a malicious filename containing shell metacharacters that get executed
when the image is processed or provide malicious text content or options that get executed when adding
text to images Users should upgrade to v4.6.2 or later to receive a patch. As a workaround, switch to the
GD image handler (`gd`, the default handler), which is not affected by either vulnerability. For file
upload scenarios, instead of using user-provided filenames, generate random names to eliminate the attack
vector with `getRandomName()` when using the `move()` method, or use the `store()` method, which
automatically generates safe filenames. For text operations, if one must use ImageMagick with user-
controlled text, sanitize the input to only allow safe characters and validate/restrict text options.
(CVE-2025-54418)

See Also

https://github.com/advisories/GHSA-9952-gv64-x94c

Plugin Details

Severity: Critical

ID: 428636

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 7/28/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.58

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-54418

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 7/28/2025

Vulnerability Publication Date: 7/28/2025

Reference Information

CVE: CVE-2025-54418

cwe: CWE-78