PrestaShop
CVE-2025-25692
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Network-reachable POST endpoint, no auth required per PR:N, and stated arbitrary code execution justifies C:H/I:H/A:H over the NVD's underscored C:L/I:L.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
A PHAR deserialization vulnerability in the _getHeaders function of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request.
AnalysisAI
Unauthenticated remote code execution in PrestaShop 8.2.0 is achievable via PHAR deserialization in the _getHeaders function, triggered through a crafted POST request. The publicly available proof-of-concept lowers the bar for exploitation against unpatched storefronts. No active KEV listing exists, but the network-accessible attack surface of e-commerce deployments and the confirmed exploit code make this a meaningful priority for PrestaShop 8.2.0 operators despite a low EPSS score of 0.77%.
Technical ContextAI
PrestaShop is a PHP-based open-source e-commerce platform (CPE: cpe:2.3:a:prestashop:prestashop:8.2.0:*:*:*:*:*:*:*). The vulnerability lives in the _getHeaders function, which processes attacker-influenced input without sanitizing PHP stream wrappers. PHP's PHAR (PHP Archive) stream wrapper - triggered when a function such as file_exists(), fopen(), or similar file-operation wrappers is called on a user-supplied path prefixed with 'phar://' - causes PHP to deserialize the PHAR archive manifest, invoking magic methods (__wakeup, __destruct) on serialized objects present in the archive. This allows an attacker to plant a crafted PHAR file whose deserialized object graph triggers CWE-77 (Command Injection) gadget chains, ultimately running arbitrary OS commands. The assigned CWE-77 (Improper Neutralization of Special Elements used in a Command) indicates that the deserialization chain culminates in injected command execution rather than pure object-graph abuse, which distinguishes this from a pure CWE-502 (Deserialization of Untrusted Data) case.
RemediationAI
Upgrade PrestaShop beyond 8.2.0; the exact patched release version is not confirmed in the available reference data - operators should monitor the official PrestaShop GitHub repository at https://github.com/PrestaShop/PrestaShop and the security advisory channel for a confirmed fixed version before upgrading. Until a patch is applied, restrict POST access to administrative and API endpoints at the WAF or reverse-proxy layer to limit the blast radius, noting that this may impact legitimate storefront functionality. Disable PHP PHAR stream wrapper processing at the php.ini level by setting 'phar.readonly = On' and ensuring no calls to PHAR functions are required by the application; this may break legitimate PHAR-packaged dependencies and should be tested in staging. Input to file-handling functions should be validated against an allowlist of paths server-side as a defense-in-depth measure. The researcher's PoC is documented at https://github.com/3em0/cve_repo/blob/main/preshop/CVE-2025-25692.md and should be reviewed by defenders to inform detection rule authoring.
More in Prestashop
View allPrestaShop is an Open Source e-commerce platform. Rated critical severity (CVSS 9.8), this vulnerability is remotely exp
The store system in PrestaShop 1.7.7.0 allows time-based boolean SQL injection via the module=productcomments controller
PrestaShop from version 1.7.5.0 and before version 1.7.6.8 is vulnerable to a blind SQL Injection attack in the Catalog
reset/modules/advanced_form_maker_edit/multiupload/upload.php in the RESET.PRO Adobe Stock API integration 4.8 for Prest
reset/modules/fotoliaFoto/multi_upload.php in the RESET.PRO Adobe Stock API Integration for PrestaShop 1.6 and 1.7 allow
modules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7) allows
PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to execute arbitrary code via a file u
modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for Pre
modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for Pre
PrestaShop before 1.6.1.20 and 1.7.x before 1.7.3.4 mishandles cookie encryption in Cookie.php, Rinjdael.php, and Blowfi
An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade func
In PrestaShop before version 1.7.6.9 an attacker is able to list all the orders placed on the website without being logg
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today