Critical Unauthenticated File‑Upload Flaw (PolyShell) in Magento & Adobe Commerce REST API Exposes Millions of Online Stores
What Happened – Security firm Sansec disclosed a critical REST‑API vulnerability, dubbed PolyShell, in Magento and Adobe Commerce that lets anyone upload executable files without authentication. The flaw also enables stored XSS in versions prior to 2.3.5 and affects all releases up to 2.4.9‑alpha2.
Why It Matters for TPRM –
- Unauthenticated file uploads can lead to remote code execution (RCE) or account takeover on e‑commerce sites you rely on.
- No standalone patch exists for production versions; many merchants run custom web‑server configs that leave the upload directory exposed.
- A compromised third‑party storefront can become a foothold for broader supply‑chain attacks against your organization’s customers or data.
Who Is Affected – Retail & e‑commerce operators using Magento or Adobe Commerce (including hosted SaaS, MSP‑managed stores, and custom‑hosted implementations).
Recommended Actions –
- Inventory all vendors that run Magento/Adobe Commerce and verify their version.
- Deploy a Web Application Firewall (WAF) rule to block the vulnerable REST endpoint (
/V1/carts/mine/items). - Restrict write permissions on
pub/media/custom_options/quote/and enforce “no‑execute” flags on upload directories. - Conduct file‑integrity scans for rogue binaries and monitor for anomalous process launches.
- Press vendors for a back‑ported patch or migration to the 2.4.9‑pre‑release branch.
Technical Notes – The vulnerability resides in the REST API’s handling of file‑type cart‑item options: base64‑encoded payloads are written directly to pub/media/custom_options/quote/. No authentication is required, enabling arbitrary file upload and, in vulnerable configurations, RCE or stored XSS. GraphQL mutations use a separate, non‑vulnerable code path. No official patch for production releases; Adobe released a fix only in a pre‑release (APSB25‑94).
Source: Security Affairs