CosmicSting (CVE-2024-34102): Check and Patch Your Magento Store

CosmicSting (CVE-2024-34102) is one of the most severe Magento 2 vulnerabilities in recent years — a critical XXE injection flaw that allows unauthenticated attackers to read arbitrary files from your server, including app/etc/env.php, which exposes your encryption key and enables persistent access even after patching.

If you haven’t applied the patch, your store has almost certainly been probed. There are multiple public POCs in the wild and active scanning campaigns targeting unpatched stores.

→ Check your store now with the free CosmicSting Validator — used to scan 6,500+ stores, 2,300+ found vulnerable.

So I highly encourage you to make sure the patch is applied (its simple, a single file diff). And to download and run a malware scanner such as Ecomscan by SanSec (its free, although wont tell you the location of the infections). Since this allowed attackers to exfil any files on the server that the user running PHP had permissions for. It is highly advised you rotate your application key in app/etc/env.php as this will allow attackers to create new API tokens even after the patch is applied.

Now, onto check if your store is vulnerable. Over on Github at SamJUK/cosmicsting-validator I’ve released the POC we’ve used alongside a bash script to easily check across all the domains you host. We caught a few instances that we missed (public available demo stores & development sites) after piping in our exported DNS records.

Alongside the above, I’ve also released a validator over at https://cosmicsting.samdjames.uk/

#How do I patch CosmicSting (CVE-2024-34102)

That is fairly simple, and can be accomplished by applying the following diff. You can even apply this patch directly on the server via the patch tool by running patch -p1 < /the/path/to/the/patch.diff. Although typically we would apply this with the cweagans/composer-patches.

diff --git a/vendor/magento/framework/Webapi/ServiceInputProcessor.php b/vendor/magento/framework/Webapi/ServiceInputProcessor.php
index cd7960409e1..df31058ff32 100644
--- a/vendor/magento/framework/Webapi/ServiceInputProcessor.php
+++ b/vendor/magento/framework/Webapi/ServiceInputProcessor.php
@@ -278,6 +278,12 @@ class ServiceInputProcessor implements ServicePayloadConverterInterface, ResetAf
         // convert to string directly to avoid situations when $className is object
         // which implements __toString method like \ReflectionObject
         $className = (string) $className;
+        if (is_subclass_of($className, \SimpleXMLElement::class)
+            || is_subclass_of($className, \DOMElement::class)) {
+            throw new SerializationException(
+                new Phrase('Invalid data type')
+            );
+        }
         $class = new ClassReflection($className);
         if (is_subclass_of($className, self::EXTENSION_ATTRIBUTES_TYPE)) {
             $className = substr($className, 0, -strlen('Interface'));