GHSA-595p-g7xc-c333

Suggest an improvement
Source
https://github.com/advisories/GHSA-595p-g7xc-c333
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-595p-g7xc-c333/GHSA-595p-g7xc-c333.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-595p-g7xc-c333
Published
2026-01-14T21:46:11Z
Modified
2026-01-15T02:22:52.029265Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Algolia Search & Discovery for Magento 2 Has Untrusted Data Handling
Details

Impact

Versions of the Algolia Search & Discovery extension for Magento 2 prior to 3.17.2 and 3.16.2 contain a vulnerability where data read from the database was treated as a trusted source during job execution.

If an attacker is able to modify records used by the extension’s indexing queue, this could result in arbitrary PHP code execution when the affected job is processed.

Exploitation requires the ability to write malicious data to the Magento database and for the indexing queue to be enabled.

Patches

This vulnerability has been fixed in the following versions:

  • 3.17.2
  • 3.16.2

Merchants should upgrade to a supported patched version immediately.

Versions outside the supported maintenance window do not receive security updates and remain vulnerable.

Workarounds

Upgrading to a patched version is the only recommended remediation.

If an immediate upgrade is not possible, the following temporary risk mitigations may reduce exposure:

  • Disable the Algolia indexing queue to prevent queued jobs from being executed.
  • Restrict job execution logic to an explicit allowlist of permitted operations.
  • Review the contents of the algoliasearch_queue table for unexpected or unrecognized entries.
  • If queue archiving is enabled, review historical records in algoliasearch_queue_archive.

These mitigations are provided as guidance only and do not replace upgrading to a patched version.

References

  • Algolia Search & Discovery for Magento 2 releases:
Database specific 
{
    "cwe_ids": [
        "CWE-74"
    ],
    "severity": "MODERATE",
    "github_reviewed_at": "2026-01-14T21:46:11Z",
    "nvd_published_at": null,
    "github_reviewed": true
}
References

Affected packages

Packagist / algolia/algoliasearch-magento-2

Package

Name
algolia/algoliasearch-magento-2
Purl
pkg:composer/algolia/algoliasearch-magento-2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.17.0-beta.1
Fixed
3.17.2

Affected versions

3.*

3.17.0-beta.1
3.17.0-beta.2
3.17.0
3.17.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-595p-g7xc-c333/GHSA-595p-g7xc-c333.json"

last_known_affected_version_range

"<= 3.17.1"

Packagist / algolia/algoliasearch-magento-2

Package

Name
algolia/algoliasearch-magento-2
Purl
pkg:composer/algolia/algoliasearch-magento-2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.16.2

Affected versions

0.*

0.8.2
0.8.3
0.8.4
0.9.0
0.9.1

1.*

1.0.0
1.0.1
1.0.3
1.0.4
1.0.5
1.0.6
1.0.8
1.0.9
1.0.10
1.1.0
1.2.0
1.2.1
1.3.0
1.4.0
1.5.0
1.6.0
1.7.0
1.7.1
1.7.2
1.8.0
1.8.1
1.8.2
1.8.3
1.8.4
1.8.5
1.9.0
1.9.1
1.10.0
1.11.0
1.11.1
1.11.2
1.11.3
1.12.0
1.12.1
1.13.0
1.13.1
1.13.2
1.13.3

2.*

2.0.0
2.0.1
2.0.2
2.0.3
2.0.4

3.*

3.0.0
3.0.1
3.0.2
3.1.0
3.2.0
3.3.0
3.3.1
3.4.0
3.6.0
3.6.1
3.7.0
3.7.0-p1
3.7.0-p2
3.8.0
3.8.1
3.9.0
3.9.1
3.10.0
3.10.1
3.10.2
3.10.3
3.10.4
3.10.5
3.10.6
3.11.0-beta
3.11.0
3.11.1-beta
3.12.0
3.12.1
3.13.0
3.13.1
3.13.2
3.13.3
3.13.4
3.13.5
3.13.6
3.13.7
3.13.8
3.14.0-beta.1
3.14.0-beta.2
3.14.0
3.14.1
3.14.2
3.14.3
3.14.4
3.14.5
3.15.0-beta.1
3.15.0-beta.2
3.15.0
3.15.1
3.15.2
3.15.3
3.16.0-beta.1
3.16.0-beta.2
3.16.0
3.16.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-595p-g7xc-c333/GHSA-595p-g7xc-c333.json"

last_known_affected_version_range

"<= 3.16.1"