Security update available for ÃÛ¶¹ÊÓƵ Commerce - APSB25-08
On February 11, 2025, ÃÛ¶¹ÊÓƵ released a regularly scheduled security update for ÃÛ¶¹ÊÓƵ Commerce and Magento Open Source. This update resolves . Successful exploitation of these vulnerabilities could lead to arbitrary code execution, security feature bypass, and privilege escalation. More information can be found in the .
Notes:
To help ensure that the remediation for CVE-2025-24434, listed in the security bulletin above, can be applied as promptly as possible, ÃÛ¶¹ÊÓƵ has also released an isolated patch that resolves CVE-2025-24434. This allows merchants to apply the fix in isolation with fewer risks of delay due to potential integration issues.
Please apply the latest security updates as soon as possible. If you fail to do so, you will be vulnerable to these security issues, and ÃÛ¶¹ÊÓƵ will have limited means to help remediate the issue further.
Please contact Support Services if you encounter any issues applying the security patch/Isolated patch.
Description description
Affected products and versions
ÃÛ¶¹ÊÓƵ Commerce on Cloud infrastructure, ÃÛ¶¹ÊÓƵ Commerce on-premises, and Magento Open Source:
- 2.4.8-beta1 and earlier
- 2.4.7-p3 and earlier
- 2.4.6-p8 and earlier
- 2.4.5-p10 and earlier
- 2.4.4-p11 and earlier
Resolution resolution
For ÃÛ¶¹ÊÓƵ Commerce on Cloud, ÃÛ¶¹ÊÓƵ Commerce on-premises, and Magento Open Source software
Note: This issue is resolved by the latest cloud-patches update. Attempting to apply the isolated patch when the fix is already in place from the cloud-patches update can cause installation failures.
To help resolve the vulnerability for the affected products and versions, you must apply the CVE-2025-24434 Isolated patch, depending on your ÃÛ¶¹ÊÓƵ Commerce/Magento Open Source version.
Isolated Patch Details
Use the following attached Isolated patches, depending on your ÃÛ¶¹ÊÓƵ Commerce/Magento Open Source version:
For version 2.4.8-beta1
For versions 2.4.7, 2.4.7-p1, 2.4.7-p2, 2.4.7-p3
For versions 2.4.6, 2.4.6-p1, 2.4.6-p2, 2.4.6-p3, 2.4.6-p4, 2.4.6-p5, 2.4.6-p6, 2.4.6-p7, 2.4.6-p8
For versions 2.4.5, 2.4.5-p1, 2.4.5-p2, 2.4.5-p3, 2.4.5-p4, 2.4.5-p5, 2.4.5-p6, 2.4.5-p7, 2.4.5-p8, 2.4.5-p9, 2.4.5-p10
For versions 2.4.4, 2.4.4-p1, 2.4.4-p2, 2.4.4-p3, 2.4.4-p4, 2.4.4-p5, 2.4.4-p6, 2.4.4-p7, 2.4.4-p8, 2.4.4-p9, 2.4.4-p10, 2.4.4-p11
How to apply the Isolated patch
Unzip the file and see How to apply a composer patch provided by ÃÛ¶¹ÊÓƵ in our support knowledge base for instructions.
For ÃÛ¶¹ÊÓƵ Commerce on Cloud merchants only - How to tell whether the Isolated patches have been applied
Considering that it isn’t possible to easily check if the issue was patched, you might want to check whether the CVE-2025-24434 Isolated patch has been successfully applied.
You can do this by taking the following steps, using the file VULN-27015-2.4.7_COMPOSER.patch as an example:
-
Run the command:Â
vendor/bin/magento-patches -n status |grep "27015\|Status" -
You should see output similar to this, where VULN-27015 returns the Applied status:
code language-none ║ Id │ Title │ Category │ Origin │ Status │ Details ║ ║ N/A │ ../m2-hotfixes/VULN-27015-2.4.7_COMPOSER_patch.patch │ Other │ Local │ Applied │ Patch type: Custom ║
Security updates
Security updates available for ÃÛ¶¹ÊÓƵ Commerce: