- Adobe patched a critical Web API flaw in Commerce and Magento
- The bug, dubbed SessionReaper, scored 9.1/10 and affects multiple versions
- Researchers warn the leaked hotfix may aid attackers
Adobe has patched a critical vulnerability in its Commerce and Magento Open Source platforms that could lead to full account takeover.
In a recently published security advisory, Adobe said it fixed an Improper Input Validation (CWE-20) vulnerability affecting the ServiceInputProcessor component of the Web API.
In other words, it allows malicious, improperly validated API requests to bypass security controls. Researchers dubbed it SessionReaper.
Most severe flaw ever
The bug is now tracked as CVE-2025-54236 and has been given a severity score of 9.1/10 (critical) on the National Vulnerability Database (NVD).
Vulnerable versions include 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier, the NVD page says.
“A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.” Adobe Commerce on Cloud customers are protected by a web application firewall (WAF), the company confirmed.
The company says it is not aware of any exploits in the wild but, according to BleepingComputer, describes it as “the most severe” flaw in the history of the platform.
A patch was released on September 9, and customers are urged to apply it without delay. “Please apply the hotfix as soon as possible. If you fail to do so, you will be vulnerable to this security issue, and Adobe will have limited means to help remediate,” Adobe warned.
While there is no evidence of in-the-wild abuse, security outfit Sansec said the initial hotfix for SessionReaper was leaked a few days ago, which could allow malicious actors to reverse-engineer it and find additional holes to exploit, BleepingComputer reported.
At the same time, some researchers believe deploying the fix could break some external code breaking, since it disables certain Magento functionalities.
Via BleepingComputer
