Skip to content

AquiveMedia/magento2-disable-customer-upload-controller

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
Plugin/Controller/Address/File
Plugin/Controller/Address/File
 
 
etc
etc
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
composer.json
composer.json
 
 
registration.php
registration.php
 
 

Repository files navigation

AquiveMedia_DisableCustomerFileUpload

A Magento 2 security module that disables the unauthenticated customer address file upload endpoint to protect against CVE-2025-54236 (SessionReaper) and related file upload vulnerabilities.

Security Context

CVE-2025-54236 (SessionReaper)

In October 2025, a critical vulnerability dubbed "SessionReaper" was discovered in Magento 2 / Adobe Commerce. This vulnerability combines two attack vectors:

  1. Nested Deserialization Vulnerability - Allows attackers to control PHP session storage paths via API deserialization chains
  2. Unauthenticated File Upload - Permits arbitrary file uploads through the customer address endpoint

When combined, these vulnerabilities enable remote code execution on vulnerable Magento installations, particularly those using file-based session storage.

The File Upload Component

Even on patched systems where the deserialization vulnerability has been fixed, the file upload endpoint remains a significant security risk:

Endpoint: /customer/address_file/upload

Vulnerabilities:

  • No authentication required
  • Minimal form key validation (any matching cookie/form value works)
  • Allows upload of files without extensions
  • Files stored in predictable locations: pub/media/customer_address/[first_char]/[second_char]/filename
  • Can be exploited for storage abuse, XSS, and social engineering attacks
  • May be chained with future vulnerabilities

What This Module Does

This module completely disables the vulnerable file upload endpoint by intercepting all requests and returning a 403 Forbidden response with a JSON error message.

Implementation:

  • Uses an around plugin on Magento\Customer\Controller\Address\File\Upload::execute()
  • Short-circuits the controller before any file processing occurs
  • Returns a clear error message to legitimate users who might encounter it

Installation

composer require aquivemedia/module-disable-customer-file-upload
bin/magento module:enable AquiveMedia_DisableCustomerFileUpload
bin/magento setup:upgrade
bin/magento cache:flush

When to Use This Module

Install this module if:

  • You don't use custom file upload attributes on customer addresses
  • You want defense-in-depth against file upload vulnerabilities
  • You want to reduce your attack surface

You may not need this module if:

  • You actively use customer address file upload functionality (rare)
  • You have custom extensions that depend on this endpoint
  • You have already disabled write permissions on pub/media/customer_address/

Tested on

  • Magento 2.4.6-p13

Compatibility

Should work on

  • Magento: 2.4.x
  • Adobe Commerce: 2.4.x
  • PHP: 7.4+, 8.1+

Security Recommendations

  1. Apply Adobe Security Patches: Always install the latest security patches from Adobe
  2. Run Security Scans: Use tools like Sansec eComscan to check for backdoors
  3. File Monitoring: Monitor pub/media/customer_address/ for suspicious files: 
    find pub/media/customer_address -type f \( -name "sess_*" -o -name "*.php" \)

References

Support

For issues or questions:

License

See LICENSE file for details.

Author

  • Jeroen de Reus

About

No description, website, or topics provided.

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

12 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases 3

1.0.2 Latest
Oct 31, 2025
+ 2 releases

Packages

No packages published

Languages