Adobe recently patched a critical vulnerability in its Commerce and Magento Open Source platforms. The flaw, named SessionReaper, affects the Web API and could allow attackers to take over user sessions without any interaction. Technically, this is an Improper Input Validation issue, tracked as CVE-2025-54236. It impacts the ServiceInputProcessor component, which handles API requests from external clients.
Versions affected include 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15, and earlier. Adobe rated the vulnerability as critical with a 9.1 out of 10 score on the National Vulnerability Database. Attackers could exploit it to gain full account access, which affects confidentiality and integrity. Adobe Commerce on Cloud customers are protected by the Web Application Firewall, but self-hosted Magento instances require immediate patching. The vulnerability is considered one of the most severe in the platform’s history.
How the Flaw Works
The flaw allows malicious API requests to bypass security checks. Normally, input validation ensures that requests are legitimate and prevent attackers from manipulating session tokens. SessionReaper bypasses this process, letting unauthorized users take control of accounts.
This is particularly dangerous for eCommerce stores because administrators and customers could have sensitive data exposed. Attackers could modify orders, access payment information, or change store settings. The patch addresses the validation problem by adding stricter checks and blocking unauthorized session activity. Adobe’s advisory warns that failing to apply the patch leaves systems exposed, with limited support available for remediation.
The Patch and Deployment Challenges
Adobe released the patch on September 9. Organizations running affected Magento versions are urged to apply it immediately. While the patch fixes the vulnerability, some users reported potential issues with external integrations. Certain Magento functions may be disabled or behave differently after applying the hotfix.
This is common in security patches that modify API handling or validation processes. Developers need to test the update in a staging environment before deploying it to live stores. In addition, the patch could be reverse-engineered by attackers if the initial hotfix is leaked. Sansec reported that the hotfix became available online before official deployment, which could allow attackers to analyze the changes and find additional vulnerabilities.
Security Best Practices for Magento Users
Beyond applying the SessionReaper patch, store owners should adopt standard security practices. This includes limiting admin access, using strong authentication methods, monitoring logs for unusual activity, and keeping all software up to date. Web Application Firewalls can help mitigate risks for online stores, but they are not a substitute for patches.
Regular audits of third-party extensions are also important. Extensions can introduce vulnerabilities if they are poorly coded or not maintained. Magento users should disable unused plugins and verify the source of every module. Combining patch management with monitoring and authentication safeguards improves resilience against future attacks and reduces the risk of session hijacking or data exposure.
