New 'PolyShell' Flaw Allows Unauthenticated RCE on Magento E-Stores

Magento Stores Are Sitting Ducks Right Now

A critical vulnerability called PolyShell has dropped for Magento Open Source and Adobe Commerce v2 - every stable production install. No authentication required. Full remote code execution possible. If you run a Magento store and haven't already locked things down, stop reading and go do that first.

eCommerce security firm Sansec broke the news, and the timing is ugly: Adobe's fix only landed in an alpha build for version 2.4.9 - meaning every production store on the planet is still exposed. Sansec is blunt: "the exploit method is circulating already" and automated attacks are expected to kick off soon.

How PolyShell Actually Works

The flaw lives in Magento's REST API. When a cart item uses a custom product option of type file, Magento accepts an embedded file_info object containing:

• base64-encoded file data
• A MIME type
• A filename

That file gets written directly to pub/media/custom_options/quote/ on the server. No authentication check. No meaningful file validation.

The "PolyShell" name comes from the attack technique itself - a polyglot file crafted to behave simultaneously as a valid image and an executable script. Depending on how the web server is configured, that uploaded file can then be:

• Executed remotely - triggering full RCE
• Served as-is - enabling stored XSS and account takeover

Sansec scanned known Magento and Adobe Commerce stores and found that a significant number expose the upload directory publicly. That's game over territory.

What You Need to Do Right Now

Adobe isn't shipping a production patch yet. That means you're on your own until they do. Here's your immediate mitigation checklist:

• Restrict access to pub/media/custom_options/ at the web server level
• Verify your nginx or Apache rules actually block direct access to that directory - don't assume your hosting provider did it right
• Scan your store for uploaded shells, backdoors, or suspicious PHP files in that path
• Review Adobe's sample web server config as a baseline - then harden beyond it
• Monitor for unexpected outbound traffic from your web server process

For nginx, a quick block looks like:

location ~* ^/pub/media/custom_options/ {
  deny all;
}

Verify it works. Test it. Don't trust config you didn't write yourself.

The Bigger Picture

PolyShell is a textbook example of why file upload endpoints are high-value attack surfaces. Accepting user-supplied filenames, MIME types, and base64-encoded content without strict server-side validation is a recipe for exactly this. If your app processes file uploads anywhere, that code path deserves a hard look - today.

Is your app vulnerable to similar attacks? Run an automated scan in 3 minutes with VibeShield.