Session Reaper Patch (CVE-2025-54236) for Magento 2
wubinworks/module-session-reaper-patch
Patches the CVE-2025-54236 (Session Reaper) account-takeover/RCE vulnerability as a universal Magento 2.3/2.4 extension, without using preferences so the store stays upgradable.
Build Tests
Code Quality
Tested on Magento 2.4.9
Recent Test History
Each release is tested against the latest Magento version at that time.
Top Contributors
View Leaderboard
Share This Module's Status
README
Loaded from GitHubMagento 2 Session Reaper Patch for CVE-2025-54236
Patch for CVE-2025-54236(a.k.a Session Reaper) which allows customer account takeover and RCE under certain conditions. This patch is actually a Magento 2 extension and universal compatible for Magento 2.3 & 2.4. If you cannot upgrade Magento or cannot apply the official hotfix, try this one.
Background
CVSS score
9.1 CRITICAL
Official information
What can the attacker damage your store?
- Customer account takeover
- RCE under certain conditions
Feature
- Fixes CVE-2025-54236(a.k.a Session Reaper) vulnerability
Compatibility
No preference is used, so your Magento is still upgradable.
Behavior difference
The official fix still allows dangerous parameter to go to Setters, this patch does not allow it.
Requirements
Magento/Adobe Commerce 2.3 or 2.4
Installation
composer require wubinworks/module-session-reaper-patch
♥
If you like this extension or this extension helped you, please share and ★star☆ this repository, it's not hard!
You may also like these extensions
Security
- Magento 2 Cosmic Sting Patch for CVE-2024-34102
- Magento 2 Trojan Orders Patch for CVE-2022-24086, CVE-2022-24087
- Magento 2 Enhanced XML Security
- Magento 2 Encryption Key Manager CLI
- Magento 2 JWT Authentication Patch
Feature
This content is fetched directly from the module's GitHub repository. We are not the authors of this content and take no responsibility for its accuracy, completeness, or any consequences arising from its use.