PHPackages aquivemedia/module-disable-customer-file-upload - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. aquivemedia/module-disable-customer-file-upload ActiveMagento2-module aquivemedia/module-disable-customer-file-upload =============================================== N/A 1.0.2(6mo ago)164.1k—8.8%1PHP Since Oct 31Pushed 6mo agoCompare [ Source](https://github.com/AquiveMedia/magento2-disable-customer-upload-controller)[ Packagist](https://packagist.org/packages/aquivemedia/module-disable-customer-file-upload)[ RSS](/packages/aquivemedia-module-disable-customer-file-upload/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (3)Dependencies (2)Versions (4)Used By (0) AquiveMedia\_DisableCustomerFileUpload ====================================== [](#aquivemedia_disablecustomerfileupload) A Magento 2 security module that disables the unauthenticated customer address file upload endpoint to protect against CVE-2025-54236 (SessionReaper) and related file upload vulnerabilities. Security Context ---------------- [](#security-context) ### CVE-2025-54236 (SessionReaper) [](#cve-2025-54236-sessionreaper) In October 2025, a critical vulnerability dubbed "SessionReaper" was discovered in Magento 2 / Adobe Commerce. This vulnerability combines two attack vectors: 1. **Nested Deserialization Vulnerability** - Allows attackers to control PHP session storage paths via API deserialization chains 2. **Unauthenticated File Upload** - Permits arbitrary file uploads through the customer address endpoint When combined, these vulnerabilities enable **remote code execution** on vulnerable Magento installations, particularly those using file-based session storage. ### The File Upload Component [](#the-file-upload-component) Even on **patched systems** where the deserialization vulnerability has been fixed, the file upload endpoint remains a significant security risk: **Endpoint:** `/customer/address_file/upload` **Vulnerabilities:** - No authentication required - Minimal form key validation (any matching cookie/form value works) - Allows upload of files without extensions - Files stored in predictable locations: `pub/media/customer_address/[first_char]/[second_char]/filename` - Can be exploited for storage abuse, XSS, and social engineering attacks - May be chained with future vulnerabilities What This Module Does --------------------- [](#what-this-module-does) This module completely disables the vulnerable file upload endpoint by intercepting all requests and returning a `403 Forbidden` response with a JSON error message. **Implementation:** - Uses an `around` plugin on `Magento\Customer\Controller\Address\File\Upload::execute()` - Short-circuits the controller before any file processing occurs - Returns a clear error message to legitimate users who might encounter it Installation ------------ [](#installation) ``` composer require aquivemedia/module-disable-customer-file-upload bin/magento module:enable AquiveMedia_DisableCustomerFileUpload bin/magento setup:upgrade bin/magento cache:flush ``` When to Use This Module ----------------------- [](#when-to-use-this-module) **Install this module if:** - You don't use custom file upload attributes on customer addresses - You want defense-in-depth against file upload vulnerabilities - You want to reduce your attack surface **You may not need this module if:** - You actively use customer address file upload functionality (rare) - You have custom extensions that depend on this endpoint - You have already disabled write permissions on `pub/media/customer_address/` Tested on --------- [](#tested-on) - Magento 2.4.6-p13 Compatibility ------------- [](#compatibility) Should work on - **Magento:** 2.4.x - **Adobe Commerce:** 2.4.x - **PHP:** 7.4+, 8.1+ Security Recommendations ------------------------ [](#security-recommendations) 1. **Apply Adobe Security Patches:** Always install the latest security patches from Adobe 2. **Run Security Scans:** Use tools like [Sansec eComscan](https://sansec.io/ecomscan) to check for backdoors 3. **File Monitoring:** Monitor `pub/media/customer_address/` for suspicious files: ``` find pub/media/customer_address -type f \( -name "sess_*" -o -name "*.php" \) ``` References ---------- [](#references) - [CVE-2025-54236 Details](https://experienceleague.adobe.com/en/docs/experience-cloud-kcs/kbarticles/ka-27397) - [Sansec SessionReaper Analysis](https://sansec.io/research/sessionreaper) - [Adobe Security Bulletin APSB25-08](https://helpx.adobe.com/security/products/magento/apsb25-08.html) Support ------- [](#support) For issues or questions: - GitHub Issues: [Create an issue](https://github.com/aquivemedia/module-disable-customer-file-upload/issues) License ------- [](#license) See [LICENSE](LICENSE) file for details. Author ------ [](#author) - Jeroen de Reus ### Health Score 38 — LowBetter than 85% of packages Maintenance66 Regular maintenance activity Popularity32 Limited adoption so far Community7 Small or concentrated contributor base Maturity37 Early-stage or recently created project Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~0 days Total 3 Last Release 200d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/97c28d83db787e03e9c1c36b0d30221527cba15880b57ee5efa29517bd16a3a5?d=identicon)[Aquive](/maintainers/Aquive) --- Top Contributors [![Aquive](https://avatars.githubusercontent.com/u/197229?v=4)](https://github.com/Aquive "Aquive (2 commits)") ### Embed Badge ![Health badge](/badges/aquivemedia-module-disable-customer-file-upload/health.svg) ``` [![Health](https://phpackages.com/badges/aquivemedia-module-disable-customer-file-upload/health.svg)](https://phpackages.com/packages/aquivemedia-module-disable-customer-file-upload) ``` ### Alternatives [hyva-themes/magento2-react-checkout Highly customizable Magento 2 Checkout, built with React 189169.8k1](/packages/hyva-themes-magento2-react-checkout)[dotdigital/dotdigital-magento2-extension Dotdigital for Magento 2 50374.2k18](/packages/dotdigital-dotdigital-magento2-extension)[swissup/module-search-mysql-legacy Legacy mysql search for magento 2.4 10483.0k](/packages/swissup-module-search-mysql-legacy)[imi/magento2-friendly-captcha Friendly Captcha integration for Magento2 18116.2k](/packages/imi-magento2-friendly-captcha)[pagbank/payment-magento PagBank - Payment for Magento and Adobe 2128.3k7](/packages/pagbank-payment-magento)[mage-os/module-inventory-reservations-grid Add a grid with the list of inventory reservations. 126.8k](/packages/mage-os-module-inventory-reservations-grid) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)