Adobe has disclosed a serious security flaw in Adobe Commerce and Magento Open Source that could let attackers hijack customer accounts. The bug, tracked as CVE-2025-54236 and nicknamed SessionReaper, has been rated 9.1 out of 10 on the CVSS severity scale.
The issue has been described as an improper input validation flaw in the Commerce REST API. If exploited, it would allow attackers to take full control of customer accounts. At the moment, Adobe says it has not seen active attacks using this flaw.
Affected Versions
The flaw impacts multiple versions of Adobe Commerce, Commerce B2B, Magento Open Source, and the Custom Attributes Serializable module. In short, almost all recent builds are affected, including:
- Adobe Commerce 2.4.9-alpha2 and earlier
- Adobe Commerce B2B 1.5.3-alpha2 and earlier
- Magento Open Source 2.4.9-alpha2 and earlier
- Custom Attributes Serializable module 0.1.0 to 0.4.0
Security company Sansec has called SessionReaper one of the most severe Magento bugs in history, comparing it to Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022), and CosmicSting (2024).
Sansec researchers confirmed that the bug can be exploited through a malicious session combined with a nested deserialization issue in Magento’s REST API. While one attack path requires file-based session storage, other methods may also work. This means that even merchants using Redis or database sessions should apply the fix immediately.
Adobe has already released a hotfix and deployed WAF (web application firewall) rules to protect merchants on its cloud infrastructure. Merchants running their own deployments should patch as soon as possible to avoid exploitation.
Alongside this, Adobe also fixed another critical flaw in ColdFusion (CVE-2025-54261, CVSS 9.0). This one is a path traversal bug that could let attackers write files anywhere on the system. It affects ColdFusion 2021, 2023, and 2025 on all platforms.
Magento has a long history of being a top target for hackers, especially since it powers thousands of e-commerce sites. A bug like SessionReaper could directly expose merchants to account takeovers, fraud, and data theft. Even if no active attacks are known yet, the severity means exploits could surface very soon.
Merchants are strongly advised to patch immediately and apply the WAF rules provided by Adobe. Waiting could leave stores wide open to attackers.
