SessionReaper Vulnerability Puts Magento & Adobe Commerce Sites in Hacker Crosshairs

Cybersecurity

Adobe has released an emergency patch to address CVE-2025-54236, a critical vulnerability in Magento Commerce and open-source Magento installations.

Technical Details

The vulnerability, known as “SessionReaper,” allows attackers to bypass input validation in the Magento Web API. This can result in automated account takeover, data theft, and fraudulent orders without needing valid session tokens. Adobe plans to release the patch on Tue, Sep 9, 2025, at 14:00 UTC, significantly ahead of its scheduled update on Oct 14, 2025.

Impact and Response

SessionReaper is considered one of the most severe Magento vulnerabilities, comparable to previous critical issues. Adobe initially informed Commerce customers on Sep 4, 2025, while open-source users were not notified, leading to concerns about transparency.

Timeline of Events

• Aug 22, 2025: Adobe begins internal development of the SessionReaper fix.
• Sep 4, 2025: Private notification sent to Adobe Commerce customers.
• Sep 9, 2025: Scheduled public release of the emergency patch at 14:00 UTC.

Recommended Actions

Magento administrators should monitor Adobe’s security page for updates and download the patch immediately upon release. The advisory and patch download will be available at the Magento Security Center.

Mitigation Steps

• Merchants using Sansec Shield are already protected against SessionReaper.
• Stores without Sansec Shield should prioritize patch testing in staging environments and schedule immediate deployment.
• A leaked concept patch, MCLOUD-14016, suggests modifications to vendor/magento/framework/Webapi/ServiceInputProcessor.php to enforce strict parameter type checks. This patch is unofficial and should be tested thoroughly before application.

Post-Patch Actions

• Ensure staging validation and deploy the update to all environments promptly.
• Invalidate existing session cookies and require customer reauthentication.
• Rotate API keys and service account credentials.
• Monitor logs for suspicious Web API calls.
• Review live attack feeds for emerging indicators of compromise.

Until the official patch is released, administrators are advised to implement compensating controls such as web application firewalls with strict JSON schema validation to mitigate potential abuse.

The urgency of Adobe’s response underlines the critical nature of the SessionReaper vulnerability. Immediate action is essential to prevent automated attacks and protect customer data.