Outdated and unverified code on your pages

Magento CosmicSting: is your store on a version that leaks its own encryption key?

Magento - now Adobe Commerce - runs a huge share of serious e-commerce, which makes it a permanent target. CosmicSting, tracked as CVE-2024-34102, is one of the worst Magento bugs in years: a pre-authentication flaw that affects every version up to and including 2.4.6 (and unpatched 2.4.7). It scored 9.8, and it was mass-exploited within weeks of disclosure.

You don't have to guess whether a site is Magento. The platform leaves fingerprints in every response: mage-cache-storage and mage-cache-sessid cookies, X-Magento-* headers, and asset URLs under /static/version<number>/. Those markers are served to any visitor, so identifying a Magento store - and often pinning down whether it's on a vulnerable line - is a passive read of what the shop already hands the browser.

request
GET / HTTP/1.1 Host: shop.yoursite.com
response
HTTP/1.1 200 OK
Set-Cookie: mage-cache-storage=...; path=/
...
<link href="/static/version1700000000/frontend/..." rel="stylesheet">
The mage-cache cookie and /static/version path identify Magento from the outside, no login needed.

Why CosmicSting is so much worse than a normal bug

CVE-2024-34102 is an XML External Entity (XXE) flaw reachable without authentication. On its own that lets an attacker read files from the server. The reason it's catastrophic is what they read: app/etc/env.php, the file that holds Magento's crypt key - the master encryption key that protects admin sessions, API tokens, and stored secrets.

Once an attacker has the crypt key, they can forge valid admin JWTs and authenticate as an administrator without a password. Chained with a separate file-write primitive (the "TrojanOrder"-style follow-on), that becomes full remote code execution on the store. So the honest finding isn't "you have an XXE" - it's "your store may already have handed out the key that unlocks everything else."

day 0Scanner fingerprints Magento <= 2.4.6 from cookies + version paths
day 0CosmicSting XXE reads app/etc/env.php
day 0Extracts the crypt key
day 0Forges an admin JWT, logs in with no password
day 0Chains to file write → remote code execution
Pre-auth to admin to RCE, off a single leaked key. Patching alone isn't enough - the key may already be out.

Patch to 2.4.7-p1, then rotate the key

The fix has two parts, and skipping the second is a common, expensive mistake.

Magento / Adobe Commerce 2.4.6
# vulnerable to CVE-2024-34102 (CosmicSting)
# crypt key in app/etc/env.php may already be compromised
Upgrade past the floor, then rotate the crypt key - because it may already have leaked.

Upgrade to 2.4.7-p1 or later - or apply Adobe's standalone CosmicSting patch if you can't take a full version jump - and then rotate the crypt key, because patching closes the door but doesn't recall a key that may already be in an attacker's hands. Treat any store that ran a vulnerable version on the public internet as potentially key-compromised.

Whether your store advertises a vulnerable version to a passer-by is something they read from cookies and asset paths, which means we check it the same way. SurfaceCheckr identifies Magento from its mage-cache-* cookies, X-Magento-* headers, and /static/version paths, and flags the CosmicSting risk when the readable version is at or below 2.4.6 - gated on those Magento-specific markers, never on a page that just mentions the platform, and never by sending the XXE. It reads the fingerprint and stops. That's the check that tells you whether your shop is on the line attackers spent 2024 sweeping for.

Find it before someone else does.

Paste your domain. The grade and issue count are free, and you'll see in a couple of minutes exactly what's reachable from outside.