CVE-2024-41651 Overview
CVE-2024-41651 affects PrestaShop versions 8.1.7 and earlier. The vulnerability resides in the module upgrade functionality and can lead to arbitrary code execution on the server. The flaw is associated with [CWE-918] Server-Side Request Forgery and [CWE-94] Improper Control of Generation of Code.
Multiple parties dispute the practical severity of this issue. They argue that exploitation requires an attacker to hijack network requests originating from an authenticated admin user. Administrators, by design, already have authority to alter code running on the server.
Critical Impact
A remote attacker who can intercept or manipulate admin module upgrade requests can execute arbitrary code on the PrestaShop server, compromising the entire storefront and underlying host.
Affected Products
- PrestaShop 8.1.7
- PrestaShop versions prior to 8.1.7
- PrestaShop deployments using the module upgrade functionality
Discovery Timeline
- 2024-08-12 - CVE-2024-41651 published to NVD
- 2024-10-09 - Last updated in NVD database
Technical Details for CVE-2024-41651
Vulnerability Analysis
The vulnerability resides in the PrestaShop module upgrade workflow. PrestaShop fetches module upgrade payloads over the network and processes them on the server. An attacker positioned to influence or substitute the upgrade source can deliver a malicious payload that executes as PHP code within the application context.
The issue maps to two CWEs. [CWE-918] reflects the server-side request fetching behavior used during the upgrade. [CWE-94] reflects the resulting code-generation primitive when attacker-controlled content is loaded as executable PHP. Successful exploitation grants the attacker the same privileges as the PrestaShop web process.
Vendor and community responses note that an admin user already controls the code base. The practical risk therefore narrows to scenarios where an unauthenticated network adversary can hijack admin-initiated upgrade traffic, such as through TLS downgrade, DNS spoofing, or compromise of an upstream module repository.
Root Cause
The root cause is insufficient validation of the integrity and authenticity of module upgrade content fetched by the server. The upgrade path trusts the response payload and loads it into the PHP runtime without enforcing strict signature or origin verification.
Attack Vector
The attack vector is network-based and requires high attack complexity. An attacker must intercept module upgrade requests issued by an admin or compromise the upstream delivery channel. No user interaction beyond the admin initiating an upgrade is required. The attacker then substitutes a crafted module archive that triggers arbitrary PHP execution when processed.
A public proof-of-concept is referenced in the GitHub PoC Repository. See the linked repository for technical details of the upgrade flow and payload structure.
Detection Methods for CVE-2024-41651
Indicators of Compromise
- Unexpected PHP files written under PrestaShop module directories such as /modules/ following an upgrade event
- Outbound HTTP requests from the PrestaShop host to domains that do not match the official addons.prestashop.com endpoint during module upgrade actions
- New scheduled tasks, cron jobs, or web shells appearing after an admin-initiated module upgrade
- Anomalous child processes spawned by the PHP-FPM or web server user immediately after /upgrade administrative requests
Detection Strategies
- Monitor PrestaShop admin audit logs for module upgrade actions and correlate with file system changes in modules/ and override/
- Inspect TLS configurations of outbound connections from the PrestaShop server to detect downgrade or certificate validation failures
- Compare hashes of installed module files against vendor-distributed reference hashes after each upgrade
Monitoring Recommendations
- Alert on writes to PHP files within the PrestaShop installation outside maintenance windows
- Capture and review network flows between the PrestaShop server and module distribution endpoints for unexpected redirects or hosts
- Track admin session activity and flag module upgrade requests originating from unusual IP addresses or user agents
How to Mitigate CVE-2024-41651
Immediate Actions Required
- Upgrade PrestaShop to a version later than 8.1.7 that addresses the module upgrade integrity issue
- Restrict admin panel access to trusted networks or VPN-only routes to limit exposure of upgrade traffic
- Enforce HTTPS with strict certificate validation for all module repository communications
- Audit installed modules and review recent upgrade activity for unauthorized changes
Patch Information
Apply the latest stable PrestaShop release that supersedes version 8.1.7. Review the PrestaShop release notes for module upgrade hardening. Vendor advisories are not enumerated in the NVD record for this CVE, so confirm fix status directly with the PrestaShop project before upgrading.
Workarounds
- Disable the in-product module upgrade feature and perform module updates manually using verified archives from official sources
- Place the admin panel behind a reverse proxy that enforces mutual TLS or IP allow-listing
- Verify cryptographic signatures or hashes of module packages before installation when supported by the module author
# Restrict PrestaShop admin directory by source IP in Apache
<Directory "/var/www/prestashop/admin-XXXX">
Require ip 10.0.0.0/24
Require ip 192.168.10.0/24
</Directory>
# Enforce strict TLS for outbound module fetches in php.ini
openssl.cafile = /etc/ssl/certs/ca-certificates.crt
curl.cainfo = /etc/ssl/certs/ca-certificates.crt
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
