This kind of de-serialization attack was disabled in OpenMage since 19.4.9 version:
[https://github.com/OpenMage/magento-lts/pull/1251/commits/8c4d7b10e5e83917e77be057d683c3601aad20f9]
Magento 1.x can be patched accordingly.
For Magento 2.x there is official patch released by Adobe on February 13, 2022:
diff --git a/app/code/Magento/Email/Model/Template/Filter.php b/app/code/Magento/Email/Model/Template/Filter.php index 1a7c3683820a..586cb485ee1f 100644 --- a/app/code/Magento/Email/Model/Template/Filter.php +++ b/app/code/Magento/Email/Model/Template/Filter.php @@ -618,6 +618,12 @@ public function transDirective($construction) } $text = __($text, $params)->render(); + + $pattern = '/{{.*?}}/'; + do { + $text = preg_replace($pattern, '', (string)$text); + } while (preg_match($pattern, $text)); + return $this->applyModifiers($text, $modifiers); } diff --git a/lib/internal/Magento/Framework/Filter/DirectiveProcessor/VarDirective.php b/lib/internal/Magento/Framework/Filter/DirectiveProcessor/VarDirective.php index f2fe398c3848..78034d70ba51 100644 --- a/lib/internal/Magento/Framework/Filter/DirectiveProcessor/VarDirective.php +++ b/lib/internal/Magento/Framework/Filter/DirectiveProcessor/VarDirective.php @@ -55,6 +55,11 @@ public function process(array $construction, Template $filter, array $templateVa $result = $this->filterApplier->applyFromRawParam($construction['filters'], $result); } + $pattern = '/{{.*?}}/'; + do { + $result = preg_replace($pattern, '', (string)$result); + } while (preg_match($pattern, $result)); + return $result; }