CVE-2026-25524

Name of the Vulnerable Software and Affected Versions Magento Long Term Support (LTS) versions prior to 20.17.0

Description PHP functions such as getimagesize(), file exists(), and is readable() can trigger deserialization when processing phar:// stream wrapper paths. The software uses these functions with potentially controllable file paths during image validation and media handling. An attacker can upload a polyglot file—a file that is both a valid image and a valid PHAR (PHP Archive) containing malicious serialized objects—and trigger one of these functions with a phar:// path to achieve arbitrary code execution. This occurs because the PHAR format stores serialized metadata that is automatically deserialized when accessed via the phar:// protocol, even by seemingly safe functions.

Recommendations Update to version 20.17.0. As a temporary workaround, disable the phar:// stream wrapper by adding it to the disable functions directive in the php.ini file or by using the stream wrapper unregister('phar') function in the code. Restrict the use of the phar:// wrapper by blocking requests containing this string in parameters via a Web Application Firewall.