- Home
- » Tags
- » SessionReaper
SessionReaper
Session Reaper refers to a class of attacks against Magento / Adobe Commerce that abuses a session deserialization weakness (CVE-2025-54236), especially when file-based sessions are used. Attackers plant crafted “session” payloads that are later processed by the platform, allowing them to hijack sessions and, in some configurations, reach remote code execution.
For background and technical details, see Sansec’s research:
https://sansec.io/research/sessionreaper
Need help assessing, patching, or hardening your store? Visit https://www.controlaltdelete.dev
-
https://github.com/AquiveMedia/magento2-disable-customer-upload-controller
This GitHub repository offers a security module for Magento 2 that disables the unauthenticated customer address file upload endpoint, addressing vulnerabilities that could lead to remote code execution, especially related to a critical vulnerability known as "SessionReaper." It emphasizes the risks associated with arbitrary file uploads, even on patched systems.
11 Nov 2025
-
https://www.sdj.pw/posts/magento2-session-reaper-cve-2025-54236/
How to guide on checking if your Magento 2 store is safe from the Session Reaper (CVE-2025-54236) exploit. And guidance on how to patch and secure your site if it is not.
11 Nov 2025
-
https://maxchadwick.xyz/blog/shutting-down-file-upload-controllers-for-session-reaper-is-futile
Since Searchlight Cyber published a technical write up and proof-of-concept for the SessionReaper vulnerability, attackers have been mass scanning Magento / Adobe Commerce stores for vulnerable targets. The first phase of the attack involves uploading a payload containing malicious session data to the server.
11 Nov 2025
-
https://github.com/DeployEcommerce/module-prevent-customer-address-file-upload
This is a Magento 2 extension that prevents file uploads to /customer/address_file/upload endpoint which is used in combination with an flaw in Magento's logic to upload code and then execute it for CVE-2025-54236.
11 Nov 2025
-
https://slcyber.io/assetnote-security-research-center/why-nested-deserialization-is-still-harmful-magento-rce-cve-2025-54236/
A recent vulnerability in Adobe's e-commerce platform, identified as CVE-2025-54236, poses risks of remote code execution, particularly through file-based session storage, which can be exploited by unauthenticated users. The article analyzes the patch related to this vulnerability, its deserialization mechanisms, and offers insights into potential exploitation methods and vulnerabilities remaining in the application. The narrative provides a deep dive into the exploit chain and necessary payloads while exploring the implications of session management and type handling in the context of security.
28 Oct 2025
