Fixes a bug in Zend Framework's Stream HTTP Wrapper
Description
Magento-lts is a long-term support alternative to Magento Community Edition (CE). In magento-lts versions 19.4.12 and prior and 20.0.8 and prior, there is a vulnerability caused by the unsecured deserialization of an object. A patch in versions 19.4.13 and 20.0.9 was back ported from Zend Framework 3. The vulnerability was assigned CVE-2021-3007 in Zend Framework.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unsecured deserialization in Magento-lts <=19.4.12 and <=20.0.8 allows remote code execution via crafted callback parameter.
Vulnerability
The vulnerability exists in Magento-lts versions 19.4.12 and prior, and 20.0.8 and prior. It is caused by unsecured deserialization of an object, specifically in the Zend Framework's Zend_Http_Response_Stream component. The attacker abuses a feature that loads classes from objects to upload and execute malicious code on the server by manipulating the "callback" parameter. This is a backport of CVE-2021-3007 from Zend Framework 3 [1][2].
Exploitation
An attacker can exploit this vulnerability by sending a crafted request containing a malicious serialized object via the "callback" parameter. No authentication is required if the vulnerable endpoint is accessible. The attacker needs network access to the affected Magento-lts instance. The exploitation involves providing a "callbackOptions" array that instead contains malicious code, which is then deserialized and executed [2].
Impact
Successful exploitation allows an attacker to execute arbitrary PHP code on the server, leading to full remote code execution. This compromises the confidentiality, integrity, and availability of the Magento-lts application and its data. The attacker gains the ability to upload files, modify data, and potentially pivot to internal systems [1][2].
Mitigation
The vulnerability is patched in versions 19.4.13 and 20.0.9, released April 2021. Users should upgrade to these versions or later. No workaround is documented; upgrading is the recommended mitigation. The fix backports type checking from Zend Framework 3 to prevent deserialization of untrusted objects [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openmage/magento-ltsPackagist | < 19.4.13 | 19.4.13 |
openmage/magento-ltsPackagist | >= 20.0.0, < 20.0.9 | 20.0.9 |
Affected products
2- OpenMage/magento-ltsv5Range: <= 19.4.12
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-m496-x567-f98cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21426ghsaADVISORY
- github.com/OpenMage/magento-lts/security/advisories/GHSA-m496-x567-f98cghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.