CVE-2025-54236 PoC — Adobe Commerce | Improper Input Validation (CWE-20)

Source

https://github.com/amalpvatayam67/day01-sessionreaper-lab

Associated Vulnerability

Title:Adobe Commerce | Improper Input Validation (CWE-20) (CVE-2025-54236)
Description:Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.

Description

This is a tiny lab that simulates the core idea reported for CVE-2025-54236 (“SessionReaper”)

Readme

# Day 1 — SessionReaper-style Vulnerable Lab (Educational)

This is a tiny lab that **simulates** the core idea reported for CVE-2025-54236 (“SessionReaper”): _improper validation of nested JSON leading to dangerous code paths_. This is **not** Magento/Adobe Commerce; it's a minimal educational replica to practice safely in Docker.

## Quickstart

```bash
chmod +x entrypoint.sh
docker build -t day1-reaper .
docker run --rm -d -p 8080:80 --name day1 day1-reaper
# Visit http://localhost:8080/public/
```

! If you stuck you can use ./exploit.sh (after the container is running)

File Snapshot


 [4.0K]  /data/pocs/baea9ba72bad6484c1228b70b615edb2e96d9dc4
├── [ 252]  DISCLAIMER.md
├── [ 524]  Dockerfile
├── [ 361]  entrypoint.sh
├── [ 342]  exploit.sh
├── [4.0K]  public
│   ├── [4.0K]  api
│   │   └── [1020]  service.php
│   └── [ 568]  index.php
└── [ 587]  README.md

2 directories, 7 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!