GHSA-595p-g7xc-c333
Algolia Search & Discovery for Magento 2 Has Untrusted Data Handling
Blast Radius
algolia/algoliasearch-magento-2🐘algolia/algoliasearch-magento-2Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.
Description
Impact
Versions of the Algolia Search & Discovery extension for Magento 2 prior to 3.17.2 and 3.16.2 contain a vulnerability where data read from the database was treated as a trusted source during job execution.
If an attacker is able to modify records used by the extension’s indexing queue, this could result in arbitrary PHP code execution when the affected job is processed.
Exploitation requires the ability to write malicious data to the Magento database and for the indexing queue to be enabled.
Patches
This vulnerability has been fixed in the following versions:
- 3.17.2
- 3.16.2
Merchants should upgrade to a supported patched version immediately.
Versions outside the supported maintenance window do not receive security updates and remain vulnerable.
Workarounds
Upgrading to a patched version is the only recommended remediation.
If an immediate upgrade is not possible, the following temporary risk mitigations may reduce exposure:
- Disable the Algolia indexing queue to prevent queued jobs from being executed.
- Restrict job execution logic to an explicit allowlist of permitted operations.
- Review the contents of the
algoliasearch_queuetable for unexpected or unrecognized entries. - If queue archiving is enabled, review historical records in
algoliasearch_queue_archive.
These mitigations are provided as guidance only and do not replace upgrading to a patched version.
References
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐘Packagist | algolia/algoliasearch-magento-2 | ≥ 3.17.0-beta.1&&< 3.17.2 | 3.17.2 |
| 🐘Packagist | algolia/algoliasearch-magento-2 | all versions | 3.16.2 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for algolia/algoliasearch-magento-2. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update algolia/algoliasearch-magento-2 to 3.17.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-595p-g7xc-c333 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-595p-g7xc-c333 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-595p-g7xc-c333. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-595p-g7xc-c333 in your dependencies?
O3 detects GHSA-595p-g7xc-c333 across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.