Protect Your Magento 2 Store from the APSB25-88 Session Reaper Vulnerability

Time to talk about APSB25-88 vulnerability announced on September 9, 2025, and the wave of attacks following it. The buzz was increasing; people had heard about it, so if you haven’t checked your site’s security yet, now’s definitely the time to do it.

This is a must-read post for Magento 2 store owners. Let’s start.

First, you can learn more about the problem.

• Adobe Security Bulletin: https://helpx.adobe.com/security/products/magento/apsb25-88.html
• A detailed technical analysis of this issue is available from Sansec https://sansec.io/research/sessionreaper.

Good news. Adobe managed to complete the issue on time.

Adobe’s Official Patch

An emergency patch was rolled out to close the vulnerability. It completely fixed the issue.

Now it's your turn. We can say that there is so little left to do.

You have to apply the patch. Act now to keep your store safe.

Here is the official instruction by Adobe - https://experienceleague.adobe.com/en/docs/experience-cloud-kcs/kbarticles/ka-27397#.

That's what you need to pay attention to

To apply the patch, please download **VULN-32437-2-4-X** and run:

curl -LO  https://repo.magento.com/patch/VULN-32437-2-4-X-patch.zip
unzip VULN-32437-2-4-X-patch.zip
patch -p1 < VULN-32437_2.4.X.patch && \
php -d memory_limit=-1 bin/magento cache:clean

After using these commands, you will see the following changes in vendor/magento/framework/Webapi/ServiceInputProcessor.php

diff --git a/vendor/magento/framework/Webapi/ServiceInputProcessor.php b/vendor/magento/framework/Webapi/ServiceInputProcessor.php
index ba58dc2bc7acf..06919af36d2eb 100644
--- a/vendor/magento/framework/Webapi/ServiceInputProcessor.php
+++ b/vendor/magento/framework/Webapi/ServiceInputProcessor.php
@@ -246,6 +246,13 @@ private function getConstructorData(string $className, array $data): array
             if (isset($data[$parameter->getName()])) {
                 $parameterType = $this->typeProcessor->getParamType($parameter);
 
+                // Allow only simple types or Api Data Objects
+                if (!($this->typeProcessor->isTypeSimple($parameterType)
+                    || preg_match('~\\\\?\w+\\\\\w+\\\\Api\\\\Data\\\\~', $parameterType) === 1
+                )) {
+                    continue;
+                }
+
                 try {
                     $res[$parameter->getName()] = $this->convertValue($data[$parameter->getName()], $parameterType);
                 } catch (\ReflectionException $e) {

Now let’s talk about the patches in later releases. Here’s what you need to know to keep your store safe.

Integration of the Patch in Later Versions

It’s great to hear that as of October 14, Adobe officially included the fix in the APSB25-94 release. Verify the info by reading the full Adobe Security Bulletin: https://helpx.adobe.com/security/products/magento/apsb25-94.html

Now, the best part is for stores running:

• Magento 2.4.6-p13
• Magento 2.4.7-p8
• Magento 2.4.8-p3

You’re all set. These releases are already protected from the core code execution vulnerability APSB25-94 and APSB25-94 . So, double-check your update status just to be sure you’re protected.

However, we must inform you about something else.

Additional Risk: Malware Uploads to `pub/media/customer_address`

It’s important to know that the patch stops code execution, but it doesn’t actually block malware from being uploaded to the pub/media/customer_address directory.

At first glance, your store might seem secure. Still, attackers could sneak files in there if you’re not careful.

To close that gap, we strongly recommend installing this community-developed security module https://github.com/olivertar/m2_sessionreaper. The Installation is easy. You will simply upload the extension and enable the module. It will automatically block unauthorized upload attempts and add a much-needed extra layer of protection to your store.

We do recommend proceeding with the module installation. This is a simple way to stay one step ahead of potential attacks.

Let’s sum up. We believe you want to reduce the risk of future attacks. And for this reason, let’s take the next actions to secure your Magento 2 store.

Recommended Actions

Please follow these steps:

1. 1. Apply the official Adobe patch — either APSB25-88 or APSB25-94.
2. 2. Inspect and clean the `pub/media/customer_address` directory for suspicious files.
3. 3. Install the protective module: https://github.com/olivertar/m2_sessionreaper
4. 4. Run a malware scan to ensure no backdoors or malicious scripts were injected.

That’s it. After completing the steps, you may be certain that you have protected your Magento 2 store from current threats related to the Session Reaper vulnerability.

This post was a tip for running a secure store. Hope the information was helpful.

Please share your thoughts in the comments below.