SLCyber's research examines the PolyShell vulnerability in Magento Open Source and Adobe Commerce. Through the guest API, an attacker can upload a file to pub/media/custom_options/quote/ without authentication by embedding file content in custom product options within the shopping cart. Exploitation requires only a guest cart ID and any valid product SKU. According to the researcher, the target product does not need to have an actual file upload option enabled.

The root cause is incomplete validation of uploaded content. Magento checks whether the file appears to be an image and whether its detected type matches the declared one, but does not strictly enforce consistency with the final file extension. As a result, a polyglot file can pass validation as an image while still being written to disk with a .php extension.

If the server is configured to execute PHP from that location, the issue can be escalated to remote code execution.

📎 Article: https://slcyber.io/research-center/magento-polyshell-unauthenticated-file-upload-to-rce-in-magento-apsb25-94/

💬 Discuss

Magento PolyShell: unauthenticated file upload that can lead to code execution under insecure server configuration