Powered by

P012C

PolyShell (CVE-2025-54236)

Description

A known vulnerability in Magento allows attackers to upload malicious files through the custom options file upload feature. These files are stored in the /media/custom_options/ directory and can potentially be executed directly via the web server, leading to remote code execution. This patch blocks public access to that path at the NGINX level. See CVE-2025-54236 for more details.

Impact

There is no downtime expected from this change. NGINX will be reloaded on all web nodes after the configuration is applied.

Changes

  • Drops an NGINX configuration file (00-polyshell-mitigation.conf) into each Magento site's conf.d directory that denies all access to /media/custom_options/.
  • Copies the same configuration into the vhost template directory so that any new sites provisioned in the future will also include the mitigation.
  • Tests the NGINX configuration and reloads NGINX on all web nodes.

If You Accept

All public access to /media/custom_options/ will be blocked at the NGINX level, protecting your store from this attack vector. New sites created after the patch will also include the mitigation automatically.

If You Reject

The /media/custom_options/ path will remain publicly accessible, leaving your store vulnerable to potential remote code execution via malicious file uploads.

© Copyright 2026. All rights reserved.