OpenMage LTS has DoS vulnerability in MaliciousCode filter
Description
OpenMage LTS is an e-commerce platform. Versions prior to 19.4.22 and 20.0.19 contain an infinite loop in malicious code filter in certain conditions. Versions 19.4.22 and 20.0.19 have a fix for this issue. There are no known workarounds.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenMage LTS prior to 19.4.22/20.0.19 has an infinite loop in the malicious code filter, enabling denial of service.
The vulnerability is an infinite loop in the malicious code filter component of OpenMage LTS. Under certain conditions, processing specially crafted input causes the filter to loop indefinitely, consuming server resources and leading to a denial of service [1].
Attackers can exploit this remotely without authentication by sending malicious input that triggers the infinite loop, likely through HTTP requests that are processed by the filter [1]. No special privileges or network position are required, making the attack surface broad.
The impact is a denial of service, rendering the e-commerce platform unavailable and potentially disrupting business operations [1]. There are no known workarounds, and the only mitigation is to upgrade to patched versions.
OpenMage LTS has released versions 19.4.22 and 20.0.19 that fix this issue [3][4]. Users are strongly advised to update immediately.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openmage/magento-ltsPackagist | < 19.4.22 | 19.4.22 |
openmage/magento-ltsPackagist | >= 20.0.0, < 20.0.19 | 20.0.19 |
Affected products
2- OpenMage/magento-ltsv5Range: < 19.4.22
Patches
1494027785bdbMerge pull request from GHSA-3p73-mm7v-4f6m
1 file changed · +3 −5
app/code/core/Mage/Core/Model/Input/Filter/MaliciousCode.php+3 −5 modified@@ -58,17 +58,15 @@ class Mage_Core_Model_Input_Filter_MaliciousCode implements Zend_Filter_Interfac * Filter value * * @param string|array $value - * @return string|array Filtered value + * @return string|array */ public function filter($value) { - $result = false; do { - $subject = $result ? $result : $value; - $result = preg_replace($this->_expressions, '', $subject, -1, $count); + $value = preg_replace($this->_expressions, '', $value, -1, $count); } while ($count !== 0); - return $result; + return $value; } /**
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-3p73-mm7v-4f6mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-23617ghsaADVISORY
- github.com/OpenMage/magento-lts/commit/494027785bdb7db53e60c11ef03c144b61cd3172ghsax_refsource_MISCWEB
- github.com/OpenMage/magento-lts/releases/tag/v19.4.22ghsax_refsource_MISCWEB
- github.com/OpenMage/magento-lts/releases/tag/v20.0.19ghsax_refsource_MISCWEB
- github.com/OpenMage/magento-lts/security/advisories/GHSA-3p73-mm7v-4f6mghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.