SamJUK · October 24, 2025 23:07
diff --git a/CVE-2025-54236-session-reaper-file-upload-controller.disable.diff b/CVE-2025-54236-session-reaper-file-upload-controller.disable.diff
 # Disable SessionReaper (CVE-2025-54236) file upload exploit entirely. 
 # note: make sure to check you do not use this functionality before applying.
 --- a/vendor/magento/module-customer/Controller/Address/File/Upload.php
 +++ b/vendor/magento/module-customer/Controller/Address/File/Upload.php
 @@ -70,6 +70,7 @@
      */
     public function execute()
     {
 +        http_response_code(400);exit;
         try {
             $requestedFiles = $this->getRequest()->getFiles('custom_attributes');
             if (empty($requestedFiles)) {
diff --git a/CVE-2025-54236-session-reaper-file-upload-controller.validate.diff b/CVE-2025-54236-session-reaper-file-upload-controller.validate.diff
 # Mitigate SessionReaper (CVE-2025-54236) file upload exploit, by adding additional validation
 # to the file upload controller restricting file name,mime type and extension.
 # note: the following checks can be bypassed.
 --- a/vendor/magento/module-customer/Controller/Address/File/Upload.php
 +++ b/vendor/magento/module-customer/Controller/Address/File/Upload.php
 @@ -72,6 +72,18 @@
     {
         try {
             $requestedFiles = $this->getRequest()->getFiles('custom_attributes');
 +
 +            foreach($requestedFiles as $key => $fileInfo) {
 +                $isPotentialSessionFile = strpos($fileInfo['name'], 'sess_') === 0 || strpos($fileInfo['full_path'], 'sess_') === 0;
 +                $isExpectedExtension = preg_match('/\.(jpg|jpeg|png|gif)$/i', $fileInfo['full_path']);
 +                $mimeType = (new \finfo(FILEINFO_MIME_TYPE))->file($fileInfo['tmp_name']);
 +                $isExpectedMimeType = in_array($mimeType, ['image/jpg', 'image/jpeg', 'image/png', 'image/gif']);
 +
 +                if ($isPotentialSessionFile || !$isExpectedMimeType || !$isExpectedExtension) {
 +                    unset($requestedFiles[$key]);
 +                }
 +            }
 +
             if (empty($requestedFiles)) {
                 $result = $this->processError(__('No files for upload.'));
             } else {
	# Disable SessionReaper (CVE-2025-54236) file upload exploit entirely.
	# note: make sure to check you do not use this functionality before applying.
	--- a/vendor/magento/module-customer/Controller/Address/File/Upload.php
	+++ b/vendor/magento/module-customer/Controller/Address/File/Upload.php
	@@ -70,6 +70,7 @@
	*/
	public function execute()
	{
	+ http_response_code(400);exit;
	try {
	$requestedFiles = $this->getRequest()->getFiles('custom_attributes');
	if (empty($requestedFiles)) {
	# Mitigate SessionReaper (CVE-2025-54236) file upload exploit, by adding additional validation
	# to the file upload controller restricting file name,mime type and extension.
	# note: the following checks can be bypassed.
	--- a/vendor/magento/module-customer/Controller/Address/File/Upload.php
	+++ b/vendor/magento/module-customer/Controller/Address/File/Upload.php
	@@ -72,6 +72,18 @@
	{
	try {
	$requestedFiles = $this->getRequest()->getFiles('custom_attributes');
	+
	+ foreach($requestedFiles as $key => $fileInfo) {
	+ $isPotentialSessionFile = strpos($fileInfo['name'], 'sess_') === 0 \|\| strpos($fileInfo['full_path'], 'sess_') === 0;
	+ $isExpectedExtension = preg_match('/\.(jpg\|jpeg\|png\|gif)$/i', $fileInfo['full_path']);
	+ $mimeType = (new \finfo(FILEINFO_MIME_TYPE))->file($fileInfo['tmp_name']);
	+ $isExpectedMimeType = in_array($mimeType, ['image/jpg', 'image/jpeg', 'image/png', 'image/gif']);
	+
	+ if ($isPotentialSessionFile \|\| !$isExpectedMimeType \|\| !$isExpectedExtension) {
	+ unset($requestedFiles[$key]);
	+ }
	+ }
	+
	if (empty($requestedFiles)) {
	$result = $this->processError(__('No files for upload.'));
	} else {