ACP2E-4049: Unknown IPNs from PayPal abuses application IPN processor

Author: soklymeach

app/code/Magento/Paypal/Controller/Ipn/Index.php

@@ -1,8 +1,7 @@
 <?php
 /**
- *
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2011 Adobe
+ * All Rights Reserved.
  */
 declare(strict_types=1);
 
@@ -13,6 +12,7 @@
 use Magento\Framework\App\Request\InvalidRequestException;
 use Magento\Framework\App\RequestInterface;
 use Magento\Framework\Exception\RemoteServiceUnavailableException;
+use Magento\Paypal\Model\Exception\UnknownIpnException;
 use Magento\Sales\Model\OrderFactory;
 
 /**
@@ -86,19 +86,23 @@ public function execute()
         try {
             $data = $this->getRequest()->getPostValue();
             $this->_ipnFactory->create(['data' => $data])->processIpnRequest();
-            $incrementId = $this->getRequest()->getPostValue()['invoice'];
-            $this->_eventManager->dispatch(
-                'paypal_checkout_success',
-                [
-                    'order' => $this->orderFactory->create()->loadByIncrementId($incrementId)
-                ]
-            );
+            $incrementId = $data['invoice'] ?? null;
+            if ($incrementId) {
+                $this->_eventManager->dispatch(
+                    'paypal_checkout_success',
+                    [
+                        'order' => $this->orderFactory->create()->loadByIncrementId($incrementId)
+                    ]
+                );
+            }
         } catch (RemoteServiceUnavailableException $e) {
             $this->_logger->critical($e);
             $this->getResponse()->setStatusHeader(503, '1.1', 'Service Unavailable')->sendResponse();
             /** @todo eliminate usage of exit statement */
             // phpcs:ignore Magento2.Security.LanguageConstruct.ExitUsage
             exit;
+        } catch (UnknownIpnException $e) {
+            $this->_logger->critical($e);
         } catch (\Exception $e) {
             $this->_logger->critical($e);
             $this->getResponse()->setHttpResponseCode(500);

app/code/Magento/Paypal/Model/Exception/UnknownIpnException.php

@@ -0,0 +1,15 @@
+<?php
+/**
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ */
+namespace Magento\Paypal\Model\Exception;
+
+use Magento\Framework\Exception\LocalizedException;
+
+/**
+ * Exception for unknown or invalid PayPal IPN requests
+ */
+class UnknownIpnException extends LocalizedException
+{
+}

app/code/Magento/Paypal/Model/Ipn.php

@@ -1,14 +1,15 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2011 Adobe
+ * All Rights Reserved.
  */
 
 namespace Magento\Paypal\Model;
 
 use Exception;
 use Magento\Framework\App\ObjectManager;
 use Magento\Framework\Exception\LocalizedException;
+use Magento\Paypal\Model\Exception\UnknownIpnException;
 use Magento\Sales\Model\Order;
 use Magento\Sales\Model\Order\Email\Sender\CreditmemoSender;
 use Magento\Sales\Model\Order\Email\Sender\OrderSender;
@@ -151,6 +152,11 @@ protected function _getConfig()
     protected function _getOrder()
     {
         $incrementId = $this->getRequestData('invoice');
+        if (!$incrementId) {
+            throw new UnknownIpnException(
+                __('Missing invoice field in IPN request.')
+            );
+        }
         $this->_order = $this->_orderFactory->create()->loadByIncrementId($incrementId);
         if (!$this->_order->getId()) {
             // phpcs:ignore Magento2.Exceptions.DirectThrow