GHSA-595P-G7XC-C333
Vulnerability from github – Published: 2026-01-14 21:46 – Updated: 2026-01-14 21:46
VLAI?
Summary
Algolia Search & Discovery for Magento 2 Has Untrusted Data Handling
Details
Impact
Versions of the Algolia Search & Discovery extension for Magento 2 prior to 3.17.2 and 3.16.2 contain a vulnerability where data read from the database was treated as a trusted source during job execution.
If an attacker is able to modify records used by the extension’s indexing queue, this could result in arbitrary PHP code execution when the affected job is processed.
Exploitation requires the ability to write malicious data to the Magento database and for the indexing queue to be enabled.
Patches
This vulnerability has been fixed in the following versions:
- 3.17.2
- 3.16.2
Merchants should upgrade to a supported patched version immediately.
Versions outside the supported maintenance window do not receive security updates and remain vulnerable.
Workarounds
Upgrading to a patched version is the only recommended remediation.
If an immediate upgrade is not possible, the following temporary risk mitigations may reduce exposure:
- Disable the Algolia indexing queue to prevent queued jobs from being executed.
- Restrict job execution logic to an explicit allowlist of permitted operations.
- Review the contents of the
algoliasearch_queuetable for unexpected or unrecognized entries. - If queue archiving is enabled, review historical records in
algoliasearch_queue_archive.
These mitigations are provided as guidance only and do not replace upgrading to a patched version.
References
Severity ?
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.17.1"
},
"package": {
"ecosystem": "Packagist",
"name": "algolia/algoliasearch-magento-2"
},
"ranges": [
{
"events": [
{
"introduced": "3.17.0-beta.1"
},
{
"fixed": "3.17.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.16.1"
},
"package": {
"ecosystem": "Packagist",
"name": "algolia/algoliasearch-magento-2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.16.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-74"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-14T21:46:11Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\nVersions of the Algolia Search \u0026 Discovery extension for Magento 2 prior to **3.17.2** and **3.16.2** contain a vulnerability where data read from the database was treated as a trusted source during job execution.\n\nIf an attacker is able to modify records used by the extension\u2019s indexing queue, this could result in **arbitrary PHP code execution** when the affected job is processed.\n\nExploitation requires the ability to write malicious data to the Magento database and for the indexing queue to be enabled.\n\n---\n\n### Patches\n\nThis vulnerability has been fixed in the following versions:\n\n- **3.17.2**\n- **3.16.2**\n\nMerchants should upgrade to a supported patched version immediately.\n\nVersions outside the supported maintenance window do **not** receive security updates and remain vulnerable.\n\n---\n\n### Workarounds\n\nUpgrading to a patched version is the only recommended remediation.\n\nIf an immediate upgrade is not possible, the following temporary risk mitigations may reduce exposure:\n\n- Disable the Algolia indexing queue to prevent queued jobs from being executed.\n- Restrict job execution logic to an explicit allowlist of permitted operations.\n- Review the contents of the `algoliasearch_queue` table for unexpected or unrecognized entries.\n- If queue archiving is enabled, review historical records in `algoliasearch_queue_archive`.\n\nThese mitigations are provided as guidance only and do not replace upgrading to a patched version.\n\n---\n\n### References\n\n- Algolia Search \u0026 Discovery for Magento 2 releases:\n - [3.16.2](https://github.com/algolia/algoliasearch-magento-2/releases/tag/3.16.2)\n - [3.17.2](https://github.com/algolia/algoliasearch-magento-2/releases/tag/3.17.2)",
"id": "GHSA-595p-g7xc-c333",
"modified": "2026-01-14T21:46:11Z",
"published": "2026-01-14T21:46:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/algolia/algoliasearch-magento-2/security/advisories/GHSA-595p-g7xc-c333"
},
{
"type": "PACKAGE",
"url": "https://github.com/algolia/algoliasearch-magento-2"
},
{
"type": "WEB",
"url": "https://github.com/algolia/algoliasearch-magento-2/releases/tag/3.16.2"
},
{
"type": "WEB",
"url": "https://github.com/algolia/algoliasearch-magento-2/releases/tag/3.17.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Algolia Search \u0026 Discovery for Magento 2 Has Untrusted Data Handling"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…