CVE-2025-54236

This repository provides a patch for CVE-2025-54236 (Session Reaper) in Magento 2, which allows customer account takeover and RCE under certain conditions. The patch is implemented as a Magento 2 extension and includes detailed technical analysis and mitigation code.

This repository contains a functional Python PoC for CVE-2025-54236, a PHP object deserialization vulnerability in Magento 2 / Adobe Commerce leading to unauthenticated RCE. It implements three distinct deserialization vectors via REST API endpoints to exploit improper input validation in ServiceInputProcessor.

This repository contains a functional exploit for CVE-2025-54236, targeting a deserialization vulnerability in Magento 2.4.x/Adobe Commerce. The exploit leverages a Monolog gadget chain to achieve remote code execution (RCE) via crafted input in the 'region' or 'extension_attributes' fields of a guest cart request.

This repository contains a functional exploit PoC for CVE-2025-54236, demonstrating improper validation of nested JSON leading to remote command execution. The exploit leverages a vulnerable PHP API endpoint that processes nested JSON input without proper sanitization, allowing arbitrary command execution via the 'payload.cmd' field.

This Metasploit module exploits CVE-2025-54236, a critical unauthenticated RCE vulnerability in Magento/Adobe Commerce via deserialization and file upload. It chains unauthenticated session file upload with REST API manipulation to achieve remote code execution.