Action Required: Critical Security Update Available for ÃÛ¶¹ÊÓƵ Commerce  (APSB25-88)
Updated on September 18, 2025
We were recently made aware by independent security researchers of an issue in ÃÛ¶¹ÊÓƵ Commerce where an attacker could take over customer accounts through the Commerce REST API (CVE-2025-54236).
ÃÛ¶¹ÊÓƵ has no evidence of this vulnerability being exploited in the wild.
ÃÛ¶¹ÊÓƵ has released a security bulletin addressing this vulnerability, which can be found .
NOTE: To remediate the vulnerability CVE-2025-54236 listed in the security bulletin above, ÃÛ¶¹ÊÓƵ has also released a that resolves CVE-2025-54236.
Please apply the hotfix as soon as possible. If you fail to do so, you will be vulnerable to this security issue, and ÃÛ¶¹ÊÓƵ will have limited means to help remediate.
NOTE: For merchants using ÃÛ¶¹ÊÓƵ Commerce on Cloud infrastructure, we have deployed web application firewall (WAF) rules to protect environments against the exploitation of this vulnerability.
While ÃÛ¶¹ÊÓƵ has deployed WAF rules to mitigate exploitation of this vulnerability, relying solely on WAF rules does not provide comprehensive protection. Under the shared responsibility model, merchants are responsible for securing their application and ensuring patches are applied. The WAF is an additional layer of defense, but it does not replace the need to apply security hotfixes.
You must follow all remediation guidance provided here, which may include applying patches, updating modules, or implementing other recommended security measures. Failure to do so may leave your environment exposed and limit ÃÛ¶¹ÊÓƵ’s ability to assist with remediation.
NOTE: For ÃÛ¶¹ÊÓƵ Commerce on Managed Services merchants, your Customer Success Engineer can provide additional guidance on applying the hotfix.
NOTE: If you have any questions or need assistance, please don’t hesitate to contact our support team.
As a reminder, you can find the latest Security updates available for ÃÛ¶¹ÊÓƵ Commerce .
Description description
Affected Products and Versions
ÃÛ¶¹ÊÓƵ Commerce (all deployment methods):
- 2.4.9-alpha2 and earlier
- 2.4.8-p2 and earlier
- 2.4.7-p7Â and earlier
- 2.4.6-p12Â and earlier
- 2.4.5-p14Â and earlier
- 2.4.4-p15Â and earlier
ÃÛ¶¹ÊÓƵ Commerce B2B:
- 1.5.3-alpha2 and earlier
- 1.5.2-p2Â and earlier
- 1.4.2-p7Â and earlier
- 1.3.4-p14 and earlier
- 1.3.3-p15Â and earlier
Magento Open Source:
- 2.4.9-alpha2 and earlier
- 2.4.8-p2 and earlier
- 2.4.7-p7Â and earlier
- 2.4.6-p12Â and earlier
- 2.4.5-p14Â and earlier
Custom Attributes Serializable module:
- versions 0.1.0 to 0.4.0
Issue
A potential attacker could take over customer accounts in ÃÛ¶¹ÊÓƵ Commerce through the Commerce REST API.
Resolution resolution
CVE-2025-54236: potential attacker could take over customer accounts through the Commerce REST API
For Custom Attributes Serializable module versions:
This guidance applies only if your ÃÛ¶¹ÊÓƵ Commerce instance currently has an older version of the Custom Attributes Serializable module (magento/out-of-process-custom-attributes module) installed.
NOTE:
- If the Custom Attributes Serializable module (
magento/out-of-process-custom-attributesmodule) isn’t installed in your environment, you can disregard this instruction and proceed with applying the provided hotfix patch . - If you’re already running the latest version of the Custom Attributes Serializable module, no upgrade is necessary. Proceed with applying the provided hotfix patch .
Make sure to apply the provided hotfix patch to fully remediate the vulnerability.
Applicable versions: 0.1.0 - 0.3.0
Update Custom Attributes Serializable module to version 0.4.0 or higher.
To update the module, this composer command can be executed:
composer require magento/out-of-process-custom-attributes=0.4.0 --with-dependencies
For ÃÛ¶¹ÊÓƵ Commerce versions:
- 2.4.9-²¹±ô±è³ó²¹1,Ìý2.4.9-²¹±ô±è³ó²¹2
- 2.4.8, 2.4.8-p1, 2.4.8-p2
- 2.4.7, 2.4.7-p1, 2.4.7-p2, 2.4.7-p3, 2.4.7-p4, 2.4.7-p5, 2.4.7-p6, 2.4.7-p7
- 2.4.6, 2.4.6-p1, 2.4.6-p2, 2.4.6-p3, 2.4.6-p4, 2.4.6-p5, 2.4.6-p6, 2.4.6-p7, 2.4.6-p8, 2.4.6-p9 2.4.6-p10, 2.4.6-p11, 2.4.6-p12
- 2.4.5, 2.4.5-p1, 2.4.5-p2, 2.4.5-p3, 2.4.5-p4, 2.4.5-p5, 2.4.5-p6, 2.4.5-p7, 2.4.5-p8, 2.4.5-p9, 2.4.5-p10, 2.4.5-p11, 2.4.5-p12, 2.4.5-p13, 2.4.5-p14
- 2.4.4, 2.4.4-p1, 2.4.4-p2, 2.4.4-p3, 2.4.4-p4, 2.4.4-p5, 2.4.4-p6, 2.4.4-p7, 2.4.4-p8, 2.4.4-p9, 2.4.4-p10, 2.4.4-p11, 2.4.4-p12, 2.4.4-p13, 2.4.4-p14, 2.4.4-p15
For ÃÛ¶¹ÊÓƵ Commerce B2B versions:
- 1.5.3-alpha1, 1.5.3-alpha2
- 1.5.2, 1.5.2-p1, 1.5.2-p2
- 1.5.1
- 1.5.0
- 1.4.2, 1.4.2-p1, 1.4.2-p2, 1.4.2-p3, 1.4.2-p4, 1.4.2-p5, 1.4.2-p6, 1.4.2-p7
- 1.4.1
- 1.4.0
- 1.3.5, 1.3.5-p1, 1.3.5-p2, 1.3.5-p3, 1.3.5-p4, 1.3.5-p5, 1.3.5-p6, 1.3.5-p7, 1.3.5-p8,1.3.5-p9, 1.3.5-p10, 1.3.5-p12
- 1.3.4, 1.3.4-p1, 1.3.4-p2, 1.3.4-p3, 1.3.4-p4, 1.3.4-p5, 1.3.4-p6, 1.3.4-p7, 1.3.4-p8, 1.3.4-p9, 1.3.4-p10, 1.3.4-p11, 1.3.4-p12, 1.3.4-p13, 1.3.4-p14
- 1.3.3, 1.3.3-p1, 1.3.3-p2, 1.3.3-p3, 1.3.3-p4, 1.3.3-p5, 1.3.3-p6, 1.3.3-p7, 1.3.3-p8, 1.3.3-p9, 1.3.3-p10, 1.3.3-p11, 1.3.3-p12, 1.3.3-p13, 1.3.3-p14, 1.3.3-p15
For Magento Open Source versions:
- 2.4.9-²¹±ô±è³ó²¹1,Ìý2.4.9-²¹±ô±è³ó²¹2
- 2.4.8, 2.4.8-p1, 2.4.8-p2
- 2.4.7, 2.4.7-p1, 2.4.7-p2, 2.4.7-p3, 2.4.7-p4, 2.4.7-p5, 2.4.7-p6, 2.4.7-p7
- 2.4.6, 2.4.6-p1, 2.4.6-p2, 2.4.6-p3, 2.4.6-p4, 2.4.6-p5, 2.4.6-p6, 2.4.6-p7, 2.4.6-p8, 2.4.6-p9 2.4.6-p10, 2.4.6-p11, 2.4.6-p12
- 2.4.5, 2.4.5-p1, 2.4.5-p2, 2.4.5-p3, 2.4.5-p4, 2.4.5-p5, 2.4.5-p6, 2.4.5-p7, 2.4.5-p8, 2.4.5-p9, 2.4.5-p10, 2.4.5-p11, 2.4.5-p12, 2.4.5-p13, 2.4.5-p14
Apply the following hotfix or upgrade to the latest security patch:
How to apply the hotfix
Unzip the file and see How to apply a composer patch provided by ÃÛ¶¹ÊÓƵ in our support knowledge base for instructions.
For ÃÛ¶¹ÊÓƵ Commerce on Cloud merchants only - How to tell whether patches have been applied
Considering that it isn’t possible to easily determine if the issue was patched, it’s recommended that you check whether the CVE-2025-54236 isolated patch has been successfully applied.
NOTE: You can do this by taking the following steps, using the file VULN-27015-2.4.7_COMPOSER.patch as an example:
-
Run the command:
vendor/bin/magento-patches -n status | grep "27015\|Status" -
You should see output similar to this, where ³Ù³ó¾±²õÌý±ð³æ²¹³¾±è±ô±ð VULN-27015 returns the Applied status:
code language-none ║ Id │ Title │ Category │ Origin │ Status │ Details ║ ║ N/A │ ../m2-hotfixes/VULN-27015-2.4.7_COMPOSER_patch.patch │ Other │ Local │ Applied │ Patch type: Custom
Security updates
Security updates available for ÃÛ¶¹ÊÓƵ Commerce: