Magento and Adobe SessionReaper Vulnerability Poses Security Risks to Thousands of Online Stores

Adobe has issued an emergency security patch for a critical vulnerability in its Magento and Adobe Commerce platforms, known as “SessionReaper.” This vulnerability, tracked as CVE-2025-54236 and uncovered by Sansec, is considered one of the most severe in Magento’s history, prompting an out-of-band update on September 9th, ahead of the next scheduled patch release on October 14th. The severity of SessionReaper is being compared to significant past vulnerabilities, including Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022), and CosmicSting (2024), which led to the compromise of thousands of e-commerce sites. The Magento and Adobe Commerce communities are on high alert, emphasising the need for immediate action. However, Adobe’s handling of the disclosure has faced criticism from the open-source community, as paying Adobe Commerce customers received prior notification of the emergency fix, while users of the free Magento Open Source platform were left unprepared.

Merchants are urged to apply the official patch from Adobe without delay, as the updates are available on Adobe’s security bulletin webpage. A leaked patch titled “MCLOUD-14016 patch for CVE-2025-54236 webapi improvement” suggests that the vulnerability resides in the Webapi/ServiceInputProcessor.php file. This fix restricts the types of data that can be processed through the API, allowing only simple types or authorised API Data Objects. Merchants are cautioned against using this unofficial patch due to its unconfirmed finality and completeness. Given the critical nature of SessionReaper, store owners are strongly advised to prioritise the deployment of the official security update to prevent session hijacking and other potential automated attacks. 

Categories: Security Vulnerability, Software Update, E-commerce Risks 

Tags: Adobe, Emergency, Security, Patch, Vulnerability, Magento, SessionReaper, Online Stores, Attacks, Mitigations