Overview
- Sansec reports a REST API bug allowing unauthenticated file uploads on Magento Open Source and Adobe Commerce versions up to 2.4.9-alpha2.
- Uploads sent as cart-item custom options are saved to pub/media/custom_options/quote/, enabling PHP code execution or stored XSS depending on server configuration.
- GraphQL uses a different code path and is not affected, according to Sansec’s analysis.
- Adobe addressed the issue only in the 2.4.9 pre-release branch under APSB25-94, leaving production installations without an isolated patch.
- There are no confirmed attacks, but Sansec says the exploit method is already circulating and advises restricting access to the upload directory, verifying nginx or Apache rules, deploying a specialized WAF, and scanning for web shells, noting many stores expose the path and that blocking access does not stop uploads.