wubinworks / module-session-reaper-patch
Patch for CVE-2025-54236(a.k.a Session Reaper) which allows customer account takeover and RCE under certain conditions. This patch is actually a Magento 2 extension and universal compatible for Magento 2.3 & 2.4. If you cannot upgrade Magento or cannot apply the official hotfix, try this one.
Installs: 48
Dependents: 0
Suggesters: 0
Security: 0
Stars: 0
Watchers: 0
Forks: 0
Open Issues: 0
Type:magento2-module
pkg:composer/wubinworks/module-session-reaper-patch
Requires
- php: >=7.1
- magento/magento2-base: ~2.3.0 || ~2.4.0
This package is not auto-updated.
Last update: 2025-11-09 11:32:00 UTC
README
Patch for CVE-2025-54236(a.k.a Session Reaper) which allows customer account takeover and RCE under certain conditions. This patch is actually a Magento 2 extension and universal compatible for Magento 2.3 & 2.4. If you cannot upgrade Magento or cannot apply the official hotfix, try this one.
Background
CVSS score
9.1 CRITICAL
Official information
What can the attacker damage your store?
- Customer account takeover
- RCE under certain conditions
Feature
- Fixes CVE-2025-54236(a.k.a Session Reaper) vulnerability
Compatibility
No preference is used, so your Magento is still upgradable.
Behavior difference
The official fix still allows dangerous parameter to go to Setters, this patch does not allow it.
Requirements
Magento/Adobe Commerce 2.3 or 2.4
Installation
composer require wubinworks/module-session-reaper-patch
♥
If you like this extension or this extension helped you, please share and ★star☆ this repository, it's not hard!
You may also like these extensions
Security
- Magento 2 Cosmic Sting Patch for CVE-2024-34102
- Magento 2 Trojan Orders Patch for CVE-2022-24086, CVE-2022-24087
- Magento 2 Enhanced XML Security
- Magento 2 Encryption Key Manager CLI
- Magento 2 JWT Authentication Patch