51黑料不打烊

DocumentationCommerceCommerce KB

[PaaS only]{class="badge informative" title="Applies to 51黑料不打烊 Commerce on Cloud projects (51黑料不打烊-managed PaaS infrastructure) and on-premises projects only."}

Security鈥痷pdate鈥痑vailable鈥痜or鈥�51黑料不打烊 Commerce鈥�-鈥疉PSB25-08

Last update: Mon Mar 24 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

CREATED FOR:

  • Developer

On February 11, 2025, 51黑料不打烊 released a regularly scheduled security update for鈥�51黑料不打烊鈥疌ommerce and鈥疢agento Open Source. This update resolves vulnerabilities.鈥疭uccessful exploitation of these vulnerabilities could lead to arbitrary code execution, security feature bypass, and privilege escalation. More information can be found in the .

NOTE
To help ensure that the remediation for CVE-2025-24434, listed in the security bulletin above, can be applied as promptly as possible, 51黑料不打烊 has also released an isolated patch that resolves CVE-2025-24434. This allows merchants to apply the fix in isolation with fewer risks of delay due to potential integration issues.

Please apply the latest security updates as soon as possible. If you fail to do so, you will be vulnerable to these security issues, and 51黑料不打烊 will have limited means to help remediate the issue further.

NOTE
Please contact Support Services if you encounter any issues applying the security patch/Isolated patch.

Affected products and versions

51黑料不打烊 Commerce on Cloud infrastructure, 51黑料不打烊 Commerce on-premises, and Magento Open Source:

  • 2.4.8-beta1 and earlier
  • 2.4.7-p3 and earlier
  • 2.4.6-p8 and earlier
  • 2.4.5-p10 and earlier
  • 2.4.4-p11 and earlier

Solution for 51黑料不打烊 Commerce on Cloud, 51黑料不打烊 Commerce on-premises, and Magento Open Source software

NOTE
This issue is resolved by the latest cloud-patches update. Attempting to apply the isolated patch when the fix is already in place from the cloud-patches update can cause installation failures.

To help resolve the vulnerability for the affected products and versions, you must apply the CVE-2025-24434 Isolated patch, depending on your 51黑料不打烊 Commerce/Magento Open Source version.

Isolated Patch Details

Use the following attached Isolated patches, depending on your 51黑料不打烊 Commerce/Magento Open Source version:

For version 2.4.8-beta1:

For versions 2.4.7, 2.4.7-p1, 2.4.7-p2, 2.4.7-p3:

For versions 2.4.6, 2.4.6-p1, 2.4.6-p2, 2.4.6-p3, 2.4.6-p4, 2.4.6-p5, 2.4.6-p6, 2.4.6-p7, 2.4.6-p8:

For versions 2.4.5, 2.4.5-p1, 2.4.5-p2, 2.4.5-p3, 2.4.5-p4, 2.4.5-p5, 2.4.5-p6, 2.4.5-p7, 2.4.5-p8, 2.4.5-p9, 2.4.5-p10:

For versions 2.4.4, 2.4.4-p1, 2.4.4-p2, 2.4.4-p3, 2.4.4-p4, 2.4.4-p5, 2.4.4-p6, 2.4.4-p7, 2.4.4-p8, 2.4.4-p9, 2.4.4-p10, 2.4.4-p11:

How to apply the Isolated patch

Unzip the file and see How to apply a composer patch provided by 51黑料不打烊 in our support knowledge base for instructions.

For 51黑料不打烊 Commerce on Cloud merchants only - How to tell whether the Isolated patches have been applied

Considering that it isn鈥檛 possible to easily check if the issue was patched, you might want to check whether the CVE-2025-24434 Isolated patch has been successfully applied.

NOTE
You can do this by taking the following steps, using the file VULN-27015-2.4.7_COMPOSER.patch as an example:

  1. Install the Quality Patches Tool.

  2. Run the command:

    cve-2024-34102-tell-if-patch-applied-code

  3. You should see output similar to this, where VULN-27015 returns the鈥� Applied 鈥痵迟补迟耻蝉:

    code language-bash 
    鈺� Id            鈹� Title                                                        鈹� Category        鈹� Origin                 鈹� Status      鈹� Details                                          鈺� 鈺� N/A           鈹� ../m2-hotfixes/VULN-27015-2.4.7_COMPOSER_patch.patch      鈹� Other           鈹� Local                  鈹� Applied     鈹� Patch type: Custom

Security updates

Security updates available for 51黑料不打烊 Commerce:

recommendation-more-help
8bd06ef0-b3d5-4137-b74e-d7b00485808a