Skip to content

[Issue] fix: file validation bypass by targeting non file input types during customer file upload #40267

New issue
New issue
Open
#40262
Open
[Issue] fix: file validation bypass by targeting non file input types during customer file upload#40267
#40262
Labels
Issue: ready for confirmationReported on 2.4.xIndicates original Magento version for the Issue report.Triage: Dev.ExperienceIssue related to Developer Experience and needs help with Triage to Confirm or Reject it
@m2-assistant

Description

@m2-assistant
m2-assistant
bot
opened on Nov 4, 2025

This issue is automatically created based on existing pull request: #40262: fix: file validation bypass by targeting non file input types during customer file upload

Description (*)

Currently, we can upload files against any attribute types via the customer file upload controllers.

This is not ideal as, we can target non file based types (Select/Hidden/Text) to bypass the expected validation logic that would take place for a Image/File type.

And as far as I am aware, there is no valid reason to be uploading a file, to non file input types (e.g select / text).

This specific functionality is actively being exploited as part of the Session Reaper (CVE-2025-54236) chain to achieve RCE.
https://slcyber.io/assetnote-security-research-center/why-nested-deserialization-is-still-harmful-magento-rce-cve-2025-54236/

This PR restricts the file uploads to only input types that are expected to have file uploads. Whilst leaving the input types configurable to merchants/extension developers via di.xml

Manual testing scenarios (*)

  1. Checkout 2.4-develop

  2. Post an arbitrary file to the customer/address_file/upload endpoint, targeting a select attribute (country_id)
    Note a success message, and the file is present in the pub/media/customer_address directory

  3. Post an arbitrary file to the customer/address_file/upload endpoint, targeting a text attribute (city)
    Note a error message, referencing text based validation error trying to validate a file as a string

  4. Checkout this PR

  5. Repeat Steps 2 & 3, note a friendly error message stating file uploads are unexpected.

  6. Create a image/file based attribute, update the curl command to target that. Upload should succeed.

# ENV Prep
echo "hello-world" > /tmp/hello-world
FORMKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)

# Test post targeting country_id (select type)
curl -k --cookie "form_key=$FORMKEY" -F "form_key=$FORMKEY" -F "custom_attributes[country_id]=@/tmp/hello-world" https://app.luma.test/customer/address_file/upload

# Test post targeting city (text type)
curl -k --cookie "form_key=$FORMKEY" -F "form_key=$FORMKEY" -F "custom_attributes[city]=@/tmp/hello-world" https://app.luma.test/customer/address_file/upload

# Confirm the file is uploaded to the media file system
find pub/media/customer_address/ -type f
Before Update After Update
Screenshot 2025-10-30 at 23 13 58 Screenshot 2025-10-30 at 23 13 31

Contribution checklist (*)

  • Pull request has a meaningful description of its purpose
  • All commits are accompanied by meaningful commit messages
  • All new or changed code is covered with unit/integration tests (if applicable)
  • README.md files for modified modules are updated and included in the pull request if any README.md predefined sections require an update
  • All automated tests passed successfully (all builds are green)

Metadata

Metadata

Assignees

No one assigned

    Labels

    Issue: ready for confirmationReported on 2.4.xIndicates original Magento version for the Issue report.Triage: Dev.ExperienceIssue related to Developer Experience and needs help with Triage to Confirm or Reject it

    Type

    No type

    Projects

    Issue Confirmation and Triage Board

    Status

    Ready for Confirmation

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions