Nginx remediation for vulnerability CVE-2025-54236#40744

Open

lfluvisotto wants to merge 1 commit intomagento:2.4-developfrom

lfluvisotto:nginx-conf-sample-CVE-2025-54236

Contributor

lfluvisotto commented Apr 16, 2026 •

edited by m2-assistant Bot

Loading

Description (*)

This pull request introduces an additional security mitigation related to CVE-2025-54236.

It was identified that the /media/customer_address/ directory may be publicly accessible, which could expose sensitive files and increase the risk of exploitation.

To reduce the attack surface, this change recommends restricting direct access to this directory at the web server level by adding the following configuration to nginx.conf

This mitigation provides a defense-in-depth layer and helps prevent unauthorized access to sensitive resources. It does not replace applying official security patches but complements them.

Related Pull Requests

N/A

Fixed Issues (if relevant)

https://sansec.io/research/sessionreaper

Manual testing scenarios (*)

Apply the Nginx configuration.
Reload or restart Nginx.
Attempt to access a file inside /media/customer_address/ via a browser or HTTP request.
Verify that access is denied.

Questions or comments

This change is intended as a security hardening measure.

Contribution checklist (*)

Pull request has a meaningful description of its purpose
All commits are accompanied by meaningful commit messages
All new or changed code is covered with unit/integration tests (if applicable)
README.md files for modified modules are updated and included in the pull request if any README.md predefined sections require an update
All automated tests passed successfully (all builds are green)

Resolved issues:

resolves [Issue] Nginx remediation for vulnerability CVE-2025-54236 #40764: Nginx remediation for vulnerability CVE-2025-54236


          Nginx remediation for vulnerability CVE-2025-54236

a0dcefc

m2-assistant Bot commented Apr 16, 2026

Hi @lfluvisotto. Thank you for your contribution!
Here are some useful tips on how you can test your changes using Magento test environment.
❗ Automated tests can be triggered manually with an appropriate comment:

@magento run all tests - run or re-run all required tests against the PR changes
@magento run <test-build(s)> - run or re-run specific test build(s)
For example: @magento run Unit Tests

<test-build(s)> is a comma-separated list of build names.

Allowed build names are:

Database Compare
Functional Tests CE
Functional Tests EE
Functional Tests B2B
Integration Tests
Magento Health Index
Sample Data Tests CE
Sample Data Tests EE
Sample Data Tests B2B
Static Tests
Unit Tests
WebAPI Tests
Semantic Version Checker

You can find more information about the builds here
ℹ️ Run only required test builds during development. Run all test builds before sending your pull request for review.

For more details, review the Code Contributions documentation.
Join Magento Community Engineering Slack and ask your questions in #github channel.

ct-prd-pr-scan Bot commented Apr 16, 2026

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

5 similar comments

ct-prd-pr-scan Bot commented Apr 16, 2026

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

ct-prd-pr-scan Bot commented Apr 16, 2026

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

ct-prd-pr-scan Bot commented Apr 16, 2026

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

ct-prd-pr-scan Bot commented Apr 16, 2026

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

ct-prd-pr-scan Bot commented Apr 16, 2026

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

Contributor Author

lfluvisotto commented Apr 17, 2026

@magento run all tests

Contributor

engcom-Dash commented Apr 21, 2026

@magento create issue

m2-assistant Bot mentioned this pull request

[Issue] Nginx remediation for vulnerability CVE-2025-54236 #40764

Open

5 tasks

ct-prd-pr-scan Bot commented Apr 21, 2026

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

engcom-Dash added the Priority: P2 label

ct-prd-projects-boards-automation Bot added this to Pull Requests Dashboard

github-project-automation Bot moved this to Pending Review in Pull Requests Dashboard

ct-prd-projects-boards-automation Bot added the Progress: pending review label

Contributor Author

lfluvisotto commented May 6, 2026

@engcom-Charlie follow-up

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Priority: P2 Progress: pending review