Magento PolyShell Flaw Enables WAF Bypass and Remote Code Execution
Sansec discloses PolyShell, a critical Magento REST API flaw that lets unauthenticated attackers upload malicious files for RCE and account takeover. All versions up to 2.4.9-alpha2 are affected.
Sansec has disclosed a critical vulnerability in Magento's REST API that lets unauthenticated attackers upload arbitrary files and achieve remote code execution. The flaw, dubbed PolyShell, affects all Magento Open Source and Adobe Commerce versions up to 2.4.9-alpha2.
How It Works
Magento's REST API accepts file uploads as part of cart item custom options. When a product option has type "file," Magento processes an embedded file_info object containing base64-encoded file data, a MIME type, and a filename. The file gets written to pub/media/custom_options/quote/ on the server with no meaningful restriction.
The attack works by disguising malicious PHP code as an image file. Depending on the web server configuration, this enables either remote code execution via PHP upload or account takeover via stored XSS. No authentication is required.
Patch Status
Adobe fixed the issue in the 2.4.9 pre-release branch as part of APSB25-94 but has not released an isolated patch for current production versions. That leaves a lot of stores exposed. Adobe provides a sample web server configuration that would limit the damage, but Sansec notes that most stores use custom configurations from their hosting provider.
What to Do Now
Sansec recommends restricting access to the upload directory (pub/media/custom_options/), verifying that nginx or Apache rules prevent execution in that directory, and scanning for web shells and backdoors. The key detail: blocking access does not block uploads. Attackers can still upload malicious code unless you are running a specialized WAF.
Wider Context
The disclosure comes alongside a separate campaign flagged by Netcraft involving the defacement of roughly 15,000 hostnames across 7,500 Magento domains, including infrastructure tied to Asus, FedEx, Fiat, Toyota, and Yamaha. It is not confirmed whether these attacks exploit the PolyShell flaw specifically, but the timing is not great.
WAFplanet Take
This is a textbook case for why WAFs exist. An unauthenticated file upload flaw in a REST API is exactly the kind of thing a properly configured Cloudflare or Akamai WAF rule catches before it hits your application server. But Sansec's point stands: most Magento stores are not running optimal server configs, let alone a dedicated WAF. If you are running Magento without a WAF in front of it, this should be your wake-up call. The lack of an isolated production patch makes it worse. Adobe asking people to wait for 2.4.9 while the vulnerability is public is not a great look.
