GHSA-8q4h-8crm-5cvc: Remote Command Execution via Command Injection in elFinder ImageMagick CLI Integration

Vulnerability ID: GHSA-8Q4H-8CRM-5CVC
CVSS Score: 9.8
Published: 2026-04-17

A critical command injection vulnerability in the elFinder web file manager allows unauthenticated remote attackers to execute arbitrary system commands. This flaw occurs when elFinder is configured to use the ImageMagick CLI driver, due to improper sanitization of the background color parameter during image resize operations.

TL;DR

elFinder versions prior to 2.1.67 are vulnerable to unauthenticated remote code execution. The image resize functionality fails to sanitize the bg parameter, allowing attackers to inject shell commands into the ImageMagick CLI execution context.

⚠️ Exploit Status: POC

Technical Details

• Vulnerability Class: Command Injection (CWE-77)
• Attack Vector: Network
• CVSS v3.1 Score: 9.8 Critical
• Authentication Required: None
• Configuration Requirement: ImageMagick CLI Driver active
• Exploit Status: Proof of Concept available
• Impact: Remote Code Execution (RCE)

Affected Systems

• Web applications utilizing the studio-42/elfinder package prior to version 2.1.67
• Systems specifically configured to process elFinder images via the ImageMagick Command Line Interface
• elFinder: < 2.1.67 (Fixed in: 2.1.67)

Exploit Details

• Vulnerability Analysis: Proof of concept payload structure discussed in advisory

Mitigation Strategies

• Upgrade the elFinder package to the latest stable release (version 2.1.67 or higher).
• Reconfigure elFinder to use the PHP GD extension or native PHP Imagick extension instead of the ImageMagick CLI driver.
• Deploy WAF rules to validate the bg parameter, ensuring it matches the expected hexadecimal color pattern.

Remediation Steps:

1. Identify the deployed version of studio-42/elfinder by checking the composer.lock file or the application source code.
2. Update the composer.json file to require "studio-42/elfinder": ">=2.1.67".
3. Run 'composer update studio-42/elfinder' to apply the patch.
4. Review the elFinder connector configuration file (usually connector.php) and ensure image driver settings prioritize GD or the Imagick extension.
5. Restart the web server to ensure all modified PHP files are recompiled and loaded.

References

• GitHub Security Advisory GHSA-8q4h-8crm-5cvc
• Studio-42 elFinder Repository Security Advisory
• elFinder 2.1.67 Release Notes
• OSV Packagist Ecosystem List
• GitLab Advisory Database

Read the full report for GHSA-8Q4H-8CRM-5CVC on our website for more details including interactive diagrams and full exploit analysis.