A severe security vulnerability, identified as 'PolyShell,' has been disclosed, impacting all stable version 2 installations of Magento Open Source and Adobe Commerce. The flaw enables unauthenticated attackers to execute arbitrary code remotely (RCE) and potentially take over administrator accounts, posing a critical threat to e-commerce platforms worldwide. According to a report by eCommerce security firm Sansec, the vulnerability stems from a weakness in Magento's REST API, which improperly handles file uploads associated with custom product options in a shopping cart. Specifically, when a product option is of the 'file' type, the system processes an embedded `file_info` object containing base64-encoded data, a MIME type, and a filename, writing the file to a predictable server directory (`pub/media/custom_options/quote/`). This mechanism, intended for legitimate customer uploads like custom images, can be weaponized to upload malicious scripts.
The exploit's namesake, 'PolyShell,' refers to the use of a polyglot file—a single file crafted to be interpreted validly as multiple file types, such as both an image and a PHP script. By uploading such a polyglot file, an attacker can bypass typical file-type validation checks. The critical impact—whether it leads to full remote code execution or a more limited path traversal attack—depends heavily on the specific web server configuration (e.g., Apache, Nginx) and security settings in place on the hosting environment. In the worst-case scenario, an unauthenticated attacker could gain a shell on the server, leading to complete compromise of the store, theft of customer data, and injection of skimming malware.
While there are no confirmed reports of active exploitation in the wild as of this disclosure, Sansec warns that the exploit methodology is already circulating among threat actors. The firm anticipates that automated, widespread attacks targeting vulnerable Magento stores will commence imminently. Adobe has released a patch for the vulnerability; however, it is currently only available in the second alpha release for the upcoming version 2.4.9. This leaves all current production versions of Magento 2 and Adobe Commerce exposed and without an official, stable security update. Adobe has provided a sample web server configuration that could mitigate the risk, but Sansec notes that most store operators rely on default setups from their hosting providers and may not implement such custom configurations promptly.
The disclosure underscores the persistent security challenges in complex e-commerce platforms and the critical importance of layered defenses. Store administrators are urged to review their server configurations immediately, particularly focusing on restricting script execution in upload directories and implementing strict input validation for API endpoints. Until an official patch is backported to stable branches, monitoring for suspicious file uploads and considering the application of workarounds, such as the configuration guidance from Adobe, is essential. This incident follows a pattern of high-impact vulnerabilities in digital supply chains, as seen recently with attacks on code repositories (GlassWorm) and other platforms, highlighting the need for continuous vulnerability management and proactive security hardening in the e-commerce ecosystem.
