README

This is a Magento 2 extension that prevents file uploads to /customer/address_file/upload endpoint which is used in combination with an flaw in Magento's logic to upload code and then execute it for CVE-2025-54236.

Although Adobe patched the part of the code that allows execution of the upload they didn't make any changes to the behaviour that allows upload of files.

Installation

composer require deployecommerce/module-prevent-customer-address-file-upload
bin/magento mo:e DeployEcommerce_PreventCustomerAddressFileUpload

Further Reading

• https://sansec.io/research/sessionreaper
• https://slcyber.io/assetnote-security-research-center/why-nested-deserialization-is-still-harmful-magento-rce-cve-2025-54236/

License

This module is licensed under the MIT License. See the LICENSE file for details.

Thanks

Thanks go to Daniel Sloof at Sansec and the #security channel in the Magento Open Source Slack as we've had many discussions on the issue over the past few weeks. Much thanks go to Blaklis too for his work on reporting the issue and follow up conversations around the exploit.