This patch hooks into:
Magento\Framework\Api\ImageProcessor
Magento\Framework\Api\ImageContentValidator
But the attack in my logs is going through POST /rest/V1/guest-carts/{cartId}/items which uses a completely different code path — Magento\Catalog\Model\Product\Option\Type\File — which never touches ImageProcessor at all.
The patch is not covering the REST API cart items vector. That's why files are still getting uploaded.
The actual protection right now
VectorStatusREST API cart upload (/rest/V1/guest-carts/.../items)
❌ Not blocked by patchFile execution via browser
✅ Blocked by .htaccess 403
You are safe from exploitation but not from the upload itself.
Best immediate fix — block the REST API upload at web server level
Add this to your root .htaccess:
apache# Block PolyShell REST API upload vector
RewriteCond %{REQUEST_URI} ^/rest/[^/]+/V1/guest-carts/.+/items [NC]
RewriteCond %{REQUEST_METHOD} POST
RewriteRule ^ - [F,L]
This patch hooks into:
Magento\Framework\Api\ImageProcessor
Magento\Framework\Api\ImageContentValidator
But the attack in my logs is going through POST /rest/V1/guest-carts/{cartId}/items which uses a completely different code path — Magento\Catalog\Model\Product\Option\Type\File — which never touches ImageProcessor at all.
The patch is not covering the REST API cart items vector. That's why files are still getting uploaded.
The actual protection right now
VectorStatusREST API cart upload (/rest/V1/guest-carts/.../items)
❌ Not blocked by patchFile execution via browser
✅ Blocked by .htaccess 403
You are safe from exploitation but not from the upload itself.
Best immediate fix — block the REST API upload at web server level
Add this to your root .htaccess:
apache# Block PolyShell REST API upload vector
RewriteCond %{REQUEST_URI} ^/rest/[^/]+/V1/guest-carts/.+/items [NC]
RewriteCond %{REQUEST_METHOD} POST
RewriteRule ^ - [F,L]