Security update available for Adobe Commerce - APSB25-08
- Topics:
- Compliance
- Security
CREATED FOR:
- Developer
On February 11, 2025, Adobe released a regularly scheduled security update for Adobe Commerce and Magento Open Source. This update resolves critical, important, and moderate vulnerabilities. Successful exploitation of these vulnerabilities could lead to arbitrary code execution, security feature bypass, and privilege escalation. More information can be found in the Adobe Security Bulletin (APSB25-08) here.
Please apply the latest security updates as soon as possible. If you fail to do so, you will be vulnerable to these security issues, and Adobe will have limited means to help remediate the issue further.
Affected products and versions
Adobe Commerce on Cloud infrastructure, Adobe Commerce on-premises, and Magento Open Source:
- 2.4.8-beta1 and earlier
- 2.4.7-p3 and earlier
- 2.4.6-p8 and earlier
- 2.4.5-p10 and earlier
- 2.4.4-p11 and earlier
Solution for Adobe Commerce on Cloud, Adobe Commerce on-premises, and Magento Open Source software
To help resolve the vulnerability for the affected products and versions, you must apply the CVE-2025-24434 Isolated patch, depending on your Adobe Commerce/Magento Open Source version.
Isolated Patch Details
Use the following attached Isolated patches, depending on your Adobe Commerce/Magento Open Source version:
For version 2.4.8-beta1:
For versions 2.4.7, 2.4.7-p1, 2.4.7-p2, 2.4.7-p3:
For versions 2.4.6, 2.4.6-p1, 2.4.6-p2, 2.4.6-p3, 2.4.6-p4, 2.4.6-p5, 2.4.6-p6, 2.4.6-p7, 2.4.6-p8:
For versions 2.4.5, 2.4.5-p1, 2.4.5-p2, 2.4.5-p3, 2.4.5-p4, 2.4.5-p5, 2.4.5-p6, 2.4.5-p7, 2.4.5-p8, 2.4.5-p9, 2.4.5-p10:
For versions 2.4.4, 2.4.4-p1, 2.4.4-p2, 2.4.4-p3, 2.4.4-p4, 2.4.4-p5, 2.4.4-p6, 2.4.4-p7, 2.4.4-p8, 2.4.4-p9, 2.4.4-p10, 2.4.4-p11:
How to apply the Isolated patch
Unzip the file and see How to apply a composer patch provided by Adobe in our support knowledge base for instructions.
For Adobe Commerce on Cloud merchants only - How to tell whether the Isolated patches have been applied
Considering that it isn’t possible to easily check if the issue was patched, you might want to check whether the CVE-2025-24434 Isolated patch has been successfully applied.
VULN-27015-2.4.7_COMPOSER.patch
as an example:-
Run the command:
-
You should see output similar to this, where VULN-27015 returns the Applied status:
║ Id │ Title │ Category │ Origin │ Status │ Details ║ ║ N/A │ ../m2-hotfixes/VULN-27015-2.4.7_COMPOSER_patch.patch │ Other │ Local │ Applied │ Patch type: Custom
Security updates
Security updates available for Adobe Commerce: