PHPackages                             qoliber/magento-open-source-security - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. qoliber/magento-open-source-security

ActiveMagento2-module[Security](/categories/security)

qoliber/magento-open-source-security
====================================

Magento 2 security modules for Qoliber open source patches and fixes.

1.0.0(3mo ago)049↓61.5%MITPHP

Since Apr 3Pushed 3mo agoCompare

[ Source](https://github.com/qoliber/magento-open-source-security)[ Packagist](https://packagist.org/packages/qoliber/magento-open-source-security)[ RSS](/packages/qoliber-magento-open-source-security/feed)WikiDiscussions master Synced today

READMEChangelogDependencies (1)Versions (2)Used By (0)

Qoliber Magento Open Source Security
====================================

[](#qoliber-magento-open-source-security)

Security hardening package for Magento Open Source and Adobe Commerce.

This package contains two Magento 2 modules:

- `Qoliber_PolyshellPatch`
- `Qoliber_SessionReaperFix`

Both modules are intended as defensive mitigations. They deliberately disable specific upload flows that can be abused.

What It Fixes
-------------

[](#what-it-fixes)

### PolyShell

[](#polyshell)

`Qoliber_PolyshellPatch` blocks file-type custom option uploads through the Web API product option flow.

This is intended as a mitigation for the vulnerability commonly referred to as `PolyShell` and associated with Adobe bulletin `APSB25-94`.

Security tradeoff:

- file-type custom option uploads through this API path are disabled
- integrations relying on that upload behavior will stop working until a vendor patch or a different safe implementation is used

### SessionReaper

[](#sessionreaper)

`Qoliber_SessionReaperFix` overrides the frontend customer address file upload controller and returns `404 Not Found`.

This closes unauthorized uploads to the customer address media directory.

Important note:

- the original `SessionReaper` issue is already addressed by released Adobe / Magento patches
- however, those patches still allow unauthorized upload attempts to the `customer_address` media directory
- this module hard-disables that upload endpoint as an additional security measure

Security tradeoff:

- customer address file uploads are disabled
- any storefront functionality depending on customer address file attachments will no longer work

Installation
------------

[](#installation)

Install the package with Composer in your Magento project:

```
composer require qoliber/magento-open-source-security
```

Then apply Magento setup changes:

```
bin/magento setup:upgrade
bin/magento cache:flush
```

Warnings
--------

[](#warnings)

- This package is intentionally restrictive.
- It is designed to reduce attack surface, not to preserve all original upload features.
- Review business flows and third-party integrations before enabling it in production.
- If you depend on file uploads in custom options or customer address flows, test those paths explicitly after installation.

Package Contents
----------------

[](#package-contents)

- `src/polyshell-patch-module` provides `Qoliber_PolyshellPatch`
- `src/session-reaper-fix-module` provides `Qoliber_SessionReaperFix`

License
-------

[](#license)

MIT

###  Health Score

35

—

LowBetter than 77% of packages

Maintenance82

Actively maintained with recent releases

Popularity11

Limited adoption so far

Community6

Small or concentrated contributor base

Maturity34

Early-stage or recently created project

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Unknown

Total

1

Last Release

92d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/e1127b1eba3c8b9dce8b6f329f14afb6af88aafa8f1e08aac8f23f97ec8f68b5?d=identicon)[qoliber](/maintainers/qoliber)

---

Top Contributors

[![wmwnuk](https://avatars.githubusercontent.com/u/10207317?v=4)](https://github.com/wmwnuk "wmwnuk (2 commits)")

---

Tags

apsb25-94cve-2025-54236magentomagento2polyshellsessionreapersecuritymagentomodulemagento2patchCVE-2025-54236sessionreaperhotfixsecurity-fixPolyShellAPSB25-94

### Embed Badge

![Health badge](/badges/qoliber-magento-open-source-security/health.svg)

```
[![Health](https://phpackages.com/badges/qoliber-magento-open-source-security/health.svg)](https://phpackages.com/packages/qoliber-magento-open-source-security)
```

###  Alternatives

[imaginaerum/magento2-language-fr-fr

Magento2 French Language Pack (fr\_FR)

43754.8k2](/packages/imaginaerum-magento2-language-fr-fr)[deployecommerce/module-trojan-order-prevent

A Magento2 extension that prevents billing/shipping addresses being saved via the API with known trojan order strings.

3751.4k](/packages/deployecommerce-module-trojan-order-prevent)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
