CVE-2026-25524
Received Received - Intake
Deserialization RCE via Phar in OpenMage LTS Media Handling

Publication date: 2026-04-20

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, PHP functions such as `getimagesize()`, `file_exists()`, and `is_readable()` can trigger deserialization when processing `phar://` stream wrapper paths. OpenMage LTS uses these functions with potentially controllable file paths during image validation and media handling. An attacker who can upload a malicious phar file (disguised as an image) and trigger one of these functions with a `phar://` path can achieve arbitrary code execution. Version 20.17.0 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25524
EUVD
EUVD-2026-23889
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openmage magento to 20.17.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

Detection of this vulnerability involves identifying if your OpenMage LTS installation is running a vulnerable version (up to 20.16.0) and if it processes files using the `phar://` stream wrapper in image validation or media handling.

You can check the version of OpenMage LTS installed to determine if it is vulnerable.

To detect potential exploitation attempts or presence of malicious PHAR files, you can search for files uploaded with suspicious extensions or containing PHAR metadata.

  • Check OpenMage LTS version: `grep 'version' path/to/magento-lts/composer.json` or check release tags.
  • Search for files with `phar://` usage in code or logs: `grep -r 'phar://' path/to/magento-lts`.
  • Look for uploaded files containing PHAR stubs by scanning for the `__HALT_COMPILER();` signature: `grep -r --include='*.jpg' '__HALT_COMPILER();' path/to/uploaded/files`.
  • Check PHP stream wrappers registered at runtime: run a PHP script with `print_r(stream_get_wrappers());` to see if `phar` is enabled.
  • Monitor web server logs for requests containing `phar://` in parameters or file paths.
Compliance Impact

The vulnerability CVE-2026-25524 allows remote code execution through unsafe deserialization of PHAR files uploaded as images, potentially leading to full system compromise. Such a compromise can result in unauthorized access, modification, or destruction of sensitive data.

This type of security breach can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Failure to patch this vulnerability could lead to data breaches, exposing organizations to legal and regulatory penalties under these frameworks.

Executive Summary

CVE-2026-25524 is a vulnerability in OpenMage Long Term Support (LTS), an unofficial community-driven version of the Magento e-commerce platform. The issue arises because certain PHP functions like getimagesize(), file_exists(), and is_readable() can trigger unsafe deserialization when processing file paths that use the phar:// stream wrapper.

An attacker can exploit this by uploading a malicious PHAR file disguised as an image. When the application processes this file using the vulnerable functions, PHP automatically deserializes the embedded PHAR metadata, which can contain malicious serialized objects. This deserialization can lead to arbitrary code execution on the server.

The vulnerability was patched in OpenMage LTS version 20.17.0 by removing ICO file upload support, unregistering the phar:// stream wrapper, and hardening deserialization processes.

Impact Analysis

This vulnerability can have severe impacts including full system compromise. An attacker who successfully exploits it can execute arbitrary code remotely on the affected server.

  • Confidentiality impact: The attacker can access sensitive data.
  • Integrity impact: The attacker can modify or delete data.
  • Availability impact: The attacker can disrupt or disable services.

The attack requires uploading a specially crafted file and triggering the vulnerable functions, but no authentication is needed for some upload vectors, making it accessible to remote attackers.

Mitigation Strategies

Immediate mitigation steps include applying the official patches and updates provided by OpenMage LTS, specifically upgrading to version 20.17.0 or later, which fully addresses the vulnerability.

If patching is not immediately possible, implement the following workarounds to reduce risk:

  • Disable the `phar` stream wrapper in PHP by adding `disable_functions = phar` or unregistering it at runtime with `stream_wrapper_unregister('phar')`.
  • Implement strict file upload validation to prevent uploading of PHAR or polyglot files disguised as images.
  • Store uploaded files outside the web root and use randomized filenames to prevent direct access.
  • Use Web Application Firewalls (WAFs) to block requests containing `phar://` in parameters.

Additionally, upgrading to v20.17.0 removes ICO file upload support, unregisters the `phar://` stream wrapper at bootstrap, and hardens cache deserialization, providing comprehensive protection.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25524. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart