deployecommerce / module-prevent-customer-address-file-upload
A Magento2 extension that prevents file uploads to the /customer/address_file/upload endpoint.
Installs: 89
Dependents: 0
Suggesters: 0
Security: 0
Stars: 0
Watchers: 0
Forks: 0
Open Issues: 0
Type:magento2-module
pkg:composer/deployecommerce/module-prevent-customer-address-file-upload
Requires
- magento/framework: *
- magento/module-customer: 103.0.*
README
This is a Magento 2 extension that prevents file uploads to
/customer/address_file/upload endpoint which is used in combination with an
flaw in Magento's logic to upload code and then execute it for CVE-2025-54236.
Although Adobe patched the part of the code that allows execution of the upload they didn't make any changes to the behaviour that allows upload of files.
Installation
composer require deployecommerce/module-prevent-customer-address-file-upload bin/magento mo:e DeployEcommerce_PreventCustomerAddressFileUpload
Further Reading
- https://sansec.io/research/sessionreaper
- https://slcyber.io/assetnote-security-research-center/why-nested-deserialization-is-still-harmful-magento-rce-cve-2025-54236/
License
This module is licensed under the MIT License. See the LICENSE file for details.
Thanks
Thanks go to Daniel Sloof at Sansec and the #security channel in the Magento Open Source Slack as we've had many discussions on the issue over the past few weeks. Much thanks go to Blaklis too for his work on reporting the issue and follow up conversations around the exploit.