SANSEC found a Magento and Adobe Commerce REST API flaw, named PolyShell, which allows unauthenticated file uploads and possible XSS in older versions. The issue affects versions up to 2.4.9-alpha2 and could also enable XSS in releases prior to 2.3.5, exposing many online stores to compromise, according to the advisory by Sansec.
Magento’s REST API accepts file uploads as part of the cart item custom options, with the vulnerable path involving a base64-encoded file_info object written to pub/media/custom_options/quote/ on the server, while GraphQL mutations use a different code path and are not vulnerable.
The vulnerability has existed since Magento 2’s first release and was only addressed in the 2.4.9 pre-release (APSB25-94), with no standalone patch for current production versions; Adobe provides a configuration guide to reduce risk, but many stores use custom setups that leave upload directories exposed, according to the report.
Sansec has not seen active exploitation yet, but the exploit is circulating and automated attacks are likely to emerge soon; Netcraft notes a large-scale defacement campaign affecting over 7,500 Magento sites since 27 February.