DocumentationCommerceRelease information

[PaaS only]{class="badge informative" title="Applies to Adobe Commerce on Cloud projects (Adobe-managed PaaS infrastructure) and on-premises projects only."}

Release notes for Adobe Commerce 2.4.8 security patches

Last update: Fri Oct 24 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

CREATED FOR:

  • Experienced
  • Admin
  • Developer

These security patch release notes capture updates to enhance the security of your Adobe Commerce deployment. Information includes, but is not limited to, the following:

  • Security bug fixes
  • Security highlights that provide more detail about enhancements and updates included in the security patch
  • Known issues
  • Instructions to apply additional patches if required
  • Information about any hot fixes included in the release

Learn more about security patch releases:

2.4.8-p3

The Adobe Commerce 2.4.8-p3 security release provides security bug fixes for vulnerabilities identified in previous releases of 2.4.8.

For the latest information about the security bug fixes, see Adobe Security Bulletin APSB25-94.

NOTE
After installing this security patch, Adobe Commerce B2B merchants must also update to the latest compatible B2B security patch release. See B2B release notes.

Highlights

This release includes the following highlights:

  • Fix for CVE-2025-54236 to resolve a REST API vulnerability. Adobe released a hotfix for this issue in September 2025. See the Action required: Critical Security Update Available for Adobe Commerce (APSB25-88) Knowledge Base article for details.

  • Developers must review REST API constructor parameter validation to learn how to update extensions to be compliant with these security changes.

  • Fix for ACP2E-3874: The REST API response for order details now contains correct values for base_row_total and row_total attributes in case when several same items were ordered.

  • Fix for AC-15446: Fixed an error in Magento\Framework\Mail\EmailMessage where getBodyText() attempted to call a non-existent getTextBody() method on Symfony\Component\Mime\Message, ensuring compatibility with Magento 2.4.8-p2 and magento/framework 103.0.8-p2.

  • Migrate from TinyMCE to Hugerte.org

    Due to the end of support for TinyMCE 5 and 6 and licensing incompatibilities with TinyMCE 7, The current implementation of Adobe Commerce WYSIWYG editor is migrated from TinyMCE to the open-source HugeRTE editor.

    This migration ensures Adobe Commerce remains compliant with open-source licensing, avoids known TinyMCE 6 vulnerabilities, and delivers a modern, supported editing experience for merchants and developers.

  • Added support for Apache ActiveMQ Artemis STOMP protocol

    Added support for the ActiveMQ Artemis open-source message broker through the Simple Text Oriented Messaging Protocol (STOMP). It delivers a reliable and scalable messaging system, offering flexibility for STOMP-based integrations. See Apache ActiveMQ Artemis in the Commerce Configuration Guide.

Known issues

Checkout page fails to load static.min.js and mixins.min.js

After recent CSP/SRI changes, the checkout page does not load static.min.js and mixins.min.js when JavaScript bundling and minification are both enabled in production mode. As a result, RequireJS mixins do not run, and checkout Knockout templates fail to resolve (for example, "Failed to load the 'Magento_Checkout/shipping' template requested by 'checkout.steps.shipping-step.shippingAddress'").

Workaround:

  • Disable JavaScript bundling; or
  • If you keep JavaScript bundling enabled, disable JavaScript minification.
IMPORTANT
Do not disable CSP or remove SRI protections in production. Any plugin-level bypass should only be used as a last resort for a hotfix and must be reviewed by the Security team.

Hotfix:

A hotfix addressing this issue will be released as soon as possible. Please monitor this release notes page for updates.

2.4.8-p2

The Adobe Commerce 2.4.8-p2 security release provides security bug fixes for vulnerabilities identified in previous releases of 2.4.8.

For the latest information about the security bug fixes, see Adobe Security Bulletin APSB25-71.

NOTE
After installing this security patch, Adobe Commerce B2B merchants must also update to the latest compatible B2B security patch release. See B2B release notes.

2.4.8-p1

The Adobe Commerce 2.4.8-p1 security release provides security bug fixes for vulnerabilities identified in previous releases of 2.4.8.

For the latest information about the security bug fixes, see Adobe Security Bulletin APSB25-50.

NOTE
After installing this security patch, Adobe Commerce B2B merchants must also update to the latest compatible B2B security patch release. See B2B release notes.

Highlights

This release includes the following highlights:

  • API performance enhancement—Resolves performance degradation in bulk asynchronous web API endpoints that were introduced after the previous security patch.

  • CMS Blocks access fix—Resolves an issue where Admin users with restricted permissions (such as merchandising-only access) were unable to view the CMS Blocks listing page.

    Previously, these users encountered an error due to missing configuration parameters after installing previous security patches.

  • Cookie limit compatibility—Resolves a backward-incompatible change involving the MAX_NUM_COOKIES constant in the framework. This update restores expected behavior and ensures compatibility for extensions or customizations that interact with cookie limits.

  • Async operations—Restricted async operations for overriding previous customers orders.

  • Fix for CVE-2025-47110—Resolves an email templates vulnerability.

  • Fix for VULN-31547—Resolves a category canonical link vulnerability.

recommendation-more-help

The fixes for CVE-2025-47110 and VULN-31547 are also available as an isolated patch. See the Knowledge Base article for details.

style
shade-box
1d4eef6c-fef1-4e61-85eb-b58d7b9ac29f