Adobe Commerce REST API constructor parameter injection changes - Merchant Developer Guide

Last update: Mon Sep 22 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

Adobe Commerce and Magento Open Source have introduced changes to the way REST APIs handle constructor parameter injection. This update strengthens the Web API framework by ensuring that only appropriate data types are used in API requests. This article also answers questions related to CVE-2025-54236.

Description description

Environments

Adobe Commerce / Magento Open Source 2.4.4+, 2.4.5+, 2.4.6+, 2.4.7+, 2.4.8+, 2.4.9-alpha3 (all deployment types)

Issue

Adobe Commerce API Data Type Validation Enhancement - Merchant Developer Guide

Overview

What’s New

Enhanced Type Safety in Web APIs

Starting with Adobe Commerce and Magento Open Source 2.4.4-p16, 2.4.5-p15, 2.4.6-p13, 2.4.7-p8, 2.4.8-p3 and 2.4.9-alpha3, the Web API framework now implements stricter data type validation for constructor parameters in API requests. This change ensures that:

✅ Simple data types (strings, integers, booleans) continue to work seamlessly.
✅ API Data interfaces (Api\Data\*Interface) remain fully supported.
🚫 Service classes and complex models are no longer automatically instantiated from API payloads.

Technical Details

What Changed

The ServiceInputProcessor now validates constructor parameters more strictly during API request processing. The enhancement introduces a validation layer that checks parameter types before attempting object instantiation. Specifically, this validation occurs in the getConstructorData() method when the system attempts to populate constructor parameters from API payload data. Previously, all parameter types were processed; now only approved types are allowed through.

Allowed Data Types

SUPPORTED (No changes required):

Simple Types

string – Text values, product names, descriptions
int / integer – Numeric values, quantities, IDs
float / double – Decimal numbers, prices, weights
bool / boolean – True/false values, status flags

API Data Interfaces

All *\Api\Data\*Interface classes

Potentially Affected Integrations

Custom integrations that may need review include:

1. Custom Extensions and Third-party Modules

Extensions sending non-standard constructor parameters
Modules using complex object injection in API payloads
Custom API endpoints with complex parameter structures

2. Testing Scripts

Various testing scripts with complex payloads

Resolution resolution

Migration Guide

Audit Your API Calls

Inventory Current Integrations:

API Call Documentation: Review all documented API endpoints your application uses.
Code Repository Scan: Search the codebase for API calls with complex nested objects.
Network Traffic Analysis: Monitor actual API payloads being sent to Magento.
Third-party Module Review: Check all installed extensions for API usage.

Identification Checklist:

Constructor Parameter Injection: Look for nested objects in API payloads.
Complex Object Types: Check for references to Model classes or services.
Custom Properties: Identify any non-standard API parameters.
Extension-specific APIs: Review custom module API implementations.

Troubleshooting

Common Error Messages

Unsupported Field Names for > 2.4.6

{ "message": "\"{fieldName}\" is not supported. Correct the field name and try again." }

Unsupported Field Names for < =2.4.6

{ "message": "Property \"{fieldName}\" does not have accessor method \"{methodName}\" in class \"{className}\"." }

When this occurs:

Constructor parameters using complex types are rejected.

Debugging Steps

1. Check API Logs while in non-developer mode (for < =2.4.6).

Location: var/log/exception.log
Filter: Search for ServiceInputProcessor entries.
Analysis: Look for parameter processing details.

2. Test with Postman/cURL.

# Test individual API calls curl -X POST "https://your-magento-site.com/rest/V1/products" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer YOUR_TOKEN" \ -d '{"product":{"sku":"TEST","name":"Test Product"}}'

Version Compatibility

Backward Compatibility

While the changes maintain overall backward compatibility, breaking changes may occur for REST API parameters that are complex types and don’t implement the Api\Data interfaces.

Existing APIs

All standard Magento APIs remain unchanged.
No breaking changes to core functionality.

Custom Extensions

May require updates if using complex constructor injection.
Testing recommended before production deployment.
Extension developers should update documentation.

Third-party Integrations

Should be tested thoroughly.
Contact vendors for compatibility updates.
Monitor integration health post-upgrade.

FAQ

Q: Do I need to update all my API integrations immediately?
A: Only integrations using complex constructor parameter injection need updates. Most standard API calls continue working without changes. Prioritize testing and updating integrations that use complex nested objects in API payloads.

Q: How can I identify if my integration is affected?
A: Test API calls in a development environment with the new version.

Q: Is there a tool to automatically migrate my API calls?
A: There is no fully automated migration tool. Most cases involve removing complex nested objects and using proper API data structures.

Q: What happens to existing API calls that used complex injection?
A: Those API calls will fail with 400 Bad Request or 500 Internal Server Error (for < =2.4.6).

Q: Does this change affect GraphQL APIs?
A: No, this enhancement applies only to REST API requests via ServiceInputProcessor. GraphQL APIs are unaffected.

Q: Can I temporarily disable this validation for testing?
A: No, this validation is built into the core framework and can’t be disabled. Testing can be done on older Magento versions to verify legacy behavior.

Q: What should I do if a third-party extension is affected?
A: Contact the vendor for an updated, compatible version. If unavailable, consider alternatives or work with a developer to create a compatibility layer.

recommendation-more-help

3d58f420-19b5-47a0-a122-5c9dab55ec7f