- Adobe patched a critical web -api -error in trade and magento
- The error called session reaper, scored 9.1/10 and affects multiple versions
- Scientists warn that the leaked hotfix can help attackers
Adobe has patched a critical vulnerability in its trade and Magento Open Source platforms that can lead to the acquisition of full account.
In a recently published security counseling, Adobe said it got the wrong input validation (CWE-20) vulnerability that affects the service input processor component of the web API.
In other words, it allows malicious, incorrectly validated API requests to bypass security checks. Scientists called it session reaple.
Most serious mistake ever
The error is now traced as CVE-2025-54236 and has received a severity of 9.1/10 (critical) on the National Woundability Database (NVD).
Vulnerable versions include 2.4.9-Alpha2, 2.4.8-P2, 2.4.7-P7, 2.4.6-P12, 2.4.5-P14, 2.4.4-P15 and earlier, says the NVD page.
“A successful striker can abuse this to achieve session acquisition, increase the confidentiality and integrity impact of high. Exploion of this problem does not require user interaction.” Adobe Commerce on cloud customers is protected by a web Application firewall (WAF), confirmed the company.
The company says it is not aware of any utilization in nature but according to Bleeping computerdescribes it as “the most serious” mistake in the history of the platform.
A patch was released on September 9 and customers are encouraged to use it without delay. “Apply Hotfix as soon as possible. If you do not, you will be vulnerable to this security question and Adobe will have limited funds to help remedy,” warned Adobe.
Although there is no evidence of wild abuse, Security Anties Sensec said that the initial hotfix for session reaper was leaked a few days ago, which could allow malicious actors to reverse it and find additional holes to exploit, Bleeping computer reported.
At the same time, some researchers believe that the implementation of the correction could break some external code breaks as it disables certain Magento functionalities.
Via Bleeping computer
