Mirasvit Full Page Cache Warmer for Magento 2 PHP Object Injection Vulnerability Allowing Remote Code Execution

A PHP object injection vulnerability has been identified in Mirasvit Full Page Cache Warmer for Magento 2, in versions prior to 1.11.12. This vulnerability allows unauthenticated attackers to execute remote code by sending a crafted serialized PHP object in the CacheWarmer cookie. The issue arises from an unrestricted call to PHP's native unserialize() function, which can be exploited using gadget chains available in Magento and its dependencies, leading to arbitrary code execution on the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where the affected Magento store is hosted.

Reproduction

To reproduce this vulnerability, send a request to a storefront page with a CacheWarmer cookie that contains a serialized PHP object crafted to exploit the vulnerability. The object should be designed to execute arbitrary code when deserialized. Once the request is processed, the injected code will be executed on the server.

Remediation

Users are advised to update Mirasvit Full Page Cache Warmer for Magento 2 to version 1.11.12 or later.