PolyShell flaw in Magento's REST API enables unauthenticated RCE
Contents
Sansec has disclosed “PolyShell,” an unauthenticated file-upload-to-RCE vulnerability in Magento’s REST API. An attacker can write arbitrary files to the server without an account, and depending on the environment that can become remote code execution (RCE) in PHP. The affected versions are every Magento Open Source and Adobe Commerce release up to 2.4.9-alpha2. The fix is included from alpha3 onward, and there is still no separate patch for current production releases.
What a polyglot file is
The name PolyShell comes from the polyglot file technique at the center of the attack. A polyglot file is valid in more than one format at the same time. It can look like an image while also being executable as PHP. By putting the right bytes at the start and the right structure in the header, the attacker can pass MIME validation while still embedding code that the PHP interpreter can execute.
Combining JPEG or GIF with PHP is an old trick, and it has long been used to smuggle web shells into applications that support file uploads. Magento’s validation logic was simply not prepared for it.
Attack flow
flowchart TD
A[Attacker] -->|Unauthenticated REST API request| B[Magento REST API<br/>product options endpoint]
B --> C[file_info parsing<br/>Base64 decode + write file]
C --> D[Saved under pub/media/custom_options/quote/<br/>with no execution restriction]
D --> E{Web server setup}
E -->|nginx 2.0.0-2.2.x| F[Executed as PHP]
F --> G[Remote code execution]
E -->|Other setups| H[Request the file directly]
H --> I[Stored XSS executes]
I --> J[Admin account takeover]The vulnerable REST API endpoint is the product-option type=file path. If the request body includes a file_info object, Magento uses the following attacker-controlled values:
- Base64-encoded file data
- MIME type
- File name and extension
The file is written under pub/media/custom_options/quote/, and that directory has no execution restriction. GraphQL mutations are not affected because they go through a different code path.
Impact by environment
| Web server environment | Impact |
|---|---|
| nginx 2.0.0-2.2.x stock configuration | PHP RCE |
| Other nginx / Apache setups | Stored XSS -> admin account takeover |
Environments where pub/media/ cannot execute PHP | Much lower impact |
On stock nginx 2.0.0-2.2.x configurations, .php files under pub/media/ are executable, so the uploaded file runs just by being requested over HTTP.
Response
Adobe fixed the issue in security bulletin APSB25-94, which is included from alpha3 onward. CVSS was not disclosed.
| Date | Action |
|---|---|
| March 16 | Sansec Shield defense signature added |
| March 17 | Public disclosure and detection patterns released |
| March 18 | Corrected methodology published |
There is no standalone patch for current production versions (2.4.8 and earlier).
Mitigations
| Mitigation | Details |
|---|---|
| Restrict directory access | Block direct access to pub/media/custom_options/ in nginx or Apache. This does not stop the upload itself |
| Deploy a WAF | Use a dedicated WAF such as Sansec Shield to block malicious uploads |
| Check for compromise | Look for web shells and backdoors in the upload directory |
Related incident
Around the time of disclosure, roughly 15,000 sites across about 7,500 domains, including Asus, FedEx, and Toyota, were defaced. Sansec did not confirm a direct link to PolyShell.