Full Report
Sansec is warning of a critical security flaw in Magento's REST API that could allow unauthenticated attackers to upload arbitrary executables and achieve code execution and account takeover. The vulnerability has been codenamed PolyShell by Sansec owing to the fact that the attack hinges on disguising malicious code as an image. There is no evidence that the shortcoming has been exploited in
Analysis Summary
# Vulnerability: Magento PolyShell Unrestricted File Upload
## CVE Details
- **CVE ID:** CVE-2025-XXXXX (Associated with Adobe advisory APSB25-94)
- **CVSS Score:** Critical (Specific numerical score not provided, but categorized as "Critical")
- **CWE:** CWE-434 (Unrestricted Upload of File with Dangerous Type)
## Affected Systems
- **Products:** Magento Open Source, Adobe Commerce
- **Versions:** All versions up to 2.4.9-alpha2
- **Configurations:** Systems using the REST API; risk is elevated on stores using custom web server configurations (Nginx/Apache) that do not strictly isolate the media upload directories.
## Vulnerability Description
Codenamed **PolyShell**, this flaw exists in Magento's REST API. The API allows unauthenticated users to upload files as part of "custom options" for cart items. When a product option is set to type 'file,' the API processes an embedded `file_info` object.
The application fails to properly validate the file contents, allowing attackers to send base64-encoded malicious payloads (such as PHP scripts) disguised as legitimate images (polygots). These files are written to the `pub/media/custom_options/quote/` directory. If the web server is configured to execute scripts within this directory, an attacker can achieve Remote Code Execution (RCE).
## Exploitation
- **Status:** PoC Available (Research published by Sansec); No evidence of exploitation in the wild as of report date.
- **Complexity:** Low
- **Attack Vector:** Network (Unauthenticated REST API access)
## Impact
- **Confidentiality:** High (Full system access / Account Takeover)
- **Integrity:** High (Arbitrary code execution / Stored XSS)
- **Availability:** High (Potential for system-wide disruption or data deletion)
## Remediation
### Patches
- Adobe has addressed the issue in the **2.4.9 pre-release** branch.
- Users should monitor Adobe’s security portal for the official backported patches for production versions (2.4.4 - 2.4.8).
### Workarounds
- **Directory Lockdown:** Immediately restrict access to the `pub/media/custom_options/` directory.
- **Server Configuration:** Update Nginx or Apache rules to explicitly deny the execution of scripts (like `.php`) within the `pub/media/` tree.
- **WAF:** Deploy a Web Application Firewall (WAF) to filter malicious REST API payloads, as server-level blocking only prevents execution, not the file upload itself.
## Detection
- **Indicators of Compromise:** Presence of unexpected PHP files or files with mismatched MIME types in `pub/media/custom_options/quote/`.
- **Detection methods:**
- Scan server directories for web shells and backdoors using tools like Sansec eComscan.
- Review web server access logs for unusual POST requests to the REST API cart item endpoints.
## References
- Adobe Security Advisory APSB25-94: hxxps://helpx[.]adobe[.]com/in/security/products/magento/apsb25-94[.]html
- Sansec Research: hxxps://sansec[.]io/research/magento-polyshell
- Original Report: hxxps://thehackernews[.]com/2026/03/magento-polyshell-flaw-enables[.]html