Solution for Adobe Commerce on Cloud, Adobe Commerce on-premises, and Magento Open Source software

To help resolve the vulnerability for the affected products and versions, you must apply the CVE-2025-24434 Isolated patch, depending on your Adobe Commerce/Magento Open Source version.

Isolated Patch Details

Use the following attached Isolated patches, depending on your Adobe Commerce/Magento Open Source version:

For version 2.4.8-beta1:

For versions 2.4.7, 2.4.7-p1, 2.4.7-p2, 2.4.7-p3:

For versions 2.4.6, 2.4.6-p1, 2.4.6-p2, 2.4.6-p3, 2.4.6-p4, 2.4.6-p5, 2.4.6-p6, 2.4.6-p7, 2.4.6-p8:

For versions 2.4.5, 2.4.5-p1, 2.4.5-p2, 2.4.5-p3, 2.4.5-p4, 2.4.5-p5, 2.4.5-p6, 2.4.5-p7, 2.4.5-p8, 2.4.5-p9, 2.4.5-p10:

For versions 2.4.4, 2.4.4-p1, 2.4.4-p2, 2.4.4-p3, 2.4.4-p4, 2.4.4-p5, 2.4.4-p6, 2.4.4-p7, 2.4.4-p8, 2.4.4-p9, 2.4.4-p10, 2.4.4-p11:

How to apply the Isolated patch

Unzip the file and see How to apply a composer patch provided by Adobe in our support knowledge base for instructions.

For Adobe Commerce on Cloud merchants only - How to tell whether the Isolated patches have been applied

Considering that it isn’t possible to easily check if the issue was patched, you might want to check whether the CVE-2025-24434 Isolated patch has been successfully applied.

NOTE
You can do this by taking the following steps, using the file VULN-27015-2.4.7_COMPOSER.patch as an example:
  1. Install the Quality Patches Tool.

  2. Run the command:

    cve-2024-34102-tell-if-patch-applied-code

  3. You should see output similar to this, where VULN-27015 returns the  Applied  status:

    ║ Id            │ Title                                                        │ Category        │ Origin                 │ Status      │ Details                                          ║ ║ N/A           │ ../m2-hotfixes/VULN-27015-2.4.7_COMPOSER_patch.patch      │ Other           │ Local                  │ Applied     │ Patch type: Custom
    

Security updates

Security updates available for Adobe Commerce:

Previous pageDeployment fails with correct access keys in env:COMPOSER_AUTH or auth.json
Next pageBackwards incompatible changes for GraphQL "placeOrder" API in Adobe Commerce 2.4.6-p8

Commerce


Connect with Experience League at Summit!

Get front-row access to top sessions, hands-on activities, and networking—wherever you are!

Learn more