A technical report by Sansec found a vulnerability named PolyShell that affects all Magento Open Source and Adobe Commerce stable version 2 installations, allowing unauthenticated code execution and account takeover.
KEY FACTS
- Vulnerability PolyShell allows unauthenticated code execution and stored XSS leading to account takeover.
- Affected Magento Open Source and Adobe Commerce stable version 2 installations.
- Fix Patch present only in the second alpha release for version 2.4.9, production versions remain vulnerable.
- Exposure Uploaded files are written to pub/media/custom_options/quote and are publicly exposed on many stores.
The flaw stems from Magento’s REST API accepting file uploads as part of custom options for cart items. When a product option has type “file” an embedded file_info object containing base64 encoded data a MIME type and a filename is written to pub/media/custom_options/quote on the server.
PolyShell uses a polyglot file that can be interpreted as both an image and a script. With permissive web server configuration this can enable remote code execution or stored cross site scripting that can lead to account takeover.
Adobe has released a fix only in the second alpha release for version 2.4.9 leaving production versions vulnerable and offers a sample web server configuration that would largely limit the fallout, but many stores rely on hosting provider setups that may not implement those rules.
There are no signs of active exploitation in the wild but the exploit method is circulating and automated attacks are expected soon. Administrators should restrict access to pub/media/custom_options, verify nginx or Apache rules prevent access and scan stores for uploaded shells or other malware until a production patch is available.
WHY IT MATTERS
Stores that expose uploaded files risk site takeover and customer account compromise if polyglot files are executed. Operators should apply access restrictions and run scans while awaiting a production patch.