SessionReaper (CVE-2025-54236) is a critical Magento 2 and Adobe Commerce vulnerability disclosed in 2025 that can lead to unauthenticated takeover through unsafe session handling. MageArgus checks your store’s exposure for free in under 10 seconds by fingerprinting your version and comparing it to the patched releases.
What is SessionReaper (CVE-2025-54236)?
SessionReaper is the community name for a critical vulnerability in the Magento 2 and Adobe Commerce session/REST layer. Like the CVEs before it, it became a mass-exploitation target within days of disclosure because so many stores run unpatched, internet-facing Magento.
The danger with this class of bug is that it does not need credentials. An attacker who can reach your storefront can attempt the exploit directly, which is why exposure is essentially a function of which version and patch level you are running — exactly what MageArgus fingerprints from the outside.
How MageArgus checks your exposure
Fingerprint
We detect your Magento / Adobe Commerce edition and version from public signals — no login required.
Map to the CVE
Your version is compared against the patched releases and the official security patch for CVE-2025-54236.
Get the fix
You get a clear verdict plus the exact upgrade or hotfix command to close the gap.
How to fix SessionReaper
Apply Adobe’s official security patch for CVE-2025-54236 or upgrade to a fixed release line. After patching, re-run the scan to confirm the version moved and the finding clears.
- Patch or upgrade to the fixed Magento / Adobe Commerce release.
- Rotate secrets (admin sessions, integration tokens) if you have any reason to suspect prior compromise.
- Confirm on disk — a remote scan reads your version; the MageArgus module confirms the patch is actually present in your codebase, ruling out a false “patched” version string.