Skip to content

DeployEcommerce/module-prevent-customer-address-file-upload

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
Controller/Address/File
Controller/Address/File
 
 
etc
etc
 
 
LICENSE.md
LICENSE.md
 
 
README.md
README.md
 
 
composer.json
composer.json
 
 
registration.php
registration.php
 
 

Repository files navigation

module-prevent-customer-address-file-upload

This is a Magento 2 extension that prevents file uploads to /customer/address_file/upload endpoint which is used in combination with an flaw in Magento's logic to upload code and then execute it for CVE-2025-54236.

Although Adobe patched the part of the code that allows execution of the upload they didn't make any changes to the behaviour that allows upload of files.

Installation

composer require deployecommerce/module-prevent-customer-address-file-upload
bin/magento mo:e DeployEcommerce_PreventCustomerAddressFileUpload

Further Reading

License

This module is licensed under the MIT License. See the LICENSE file for details.

Thanks

Thanks go to Daniel Sloof at Sansec and the #security channel in the Magento Open Source Slack as we've had many discussions on the issue over the past few weeks. Much thanks go to Blaklis too for his work on reporting the issue and follow up conversations around the exploit.

About

A Magento2 extension that prevents file uploads to the /customer/address_file/upload endpoint.

Resources

Readme

License

MIT license

Code of conduct

Code of conduct
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases 3

v0.0.3 Latest
Oct 29, 2025
+ 2 releases

Packages

No packages published

Languages