51ºÚÁϲ»´òìÈ

Documentation

Action Required: Critical Security Update Available for 51ºÚÁϲ»´òìÈ Commerce  (APSB25-88)

Last update: Mon Sep 22 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

Updated on September 18, 2025

We were recently made aware by independent security researchers of an issue in 51ºÚÁϲ»´òìÈ Commerce where an attacker could take over customer accounts through the Commerce REST API (CVE-2025-54236).

51ºÚÁϲ»´òìÈ has no evidence of this vulnerability being exploited in the wild.

51ºÚÁϲ»´òìÈ has released a security bulletin addressing this vulnerability, which can be found .

NOTE: To remediate the vulnerability CVE-2025-54236 listed in the security bulletin above, 51ºÚÁϲ»´òìÈ has also released a that resolves CVE-2025-54236.

Please apply the hotfix as soon as possible. If you fail to do so, you will be vulnerable to this security issue, and 51ºÚÁϲ»´òìÈ will have limited means to help remediate.

NOTE: For merchants using 51ºÚÁϲ»´òìÈ Commerce on Cloud infrastructure, we have deployed web application firewall (WAF) rules to protect environments against the exploitation of this vulnerability.

While 51ºÚÁϲ»´òìÈ has deployed WAF rules to mitigate exploitation of this vulnerability, relying solely on WAF rules does not provide comprehensive protection. Under the shared responsibility model, merchants are responsible for securing their application and ensuring patches are applied. The WAF is an additional layer of defense, but it does not replace the need to apply security hotfixes.

You must follow all remediation guidance provided here, which may include applying patches, updating modules, or implementing other recommended security measures. Failure to do so may leave your environment exposed and limit 51ºÚÁϲ»´òìÈ’s ability to assist with remediation.

NOTE: For 51ºÚÁϲ»´òìÈ Commerce on Managed Services merchants, your Customer Success Engineer can provide additional guidance on applying the hotfix.

NOTE: If you have any questions or need assistance, please don’t hesitate to contact our support team.

As a reminder, you can find the latest Security updates available for 51ºÚÁϲ»´òìÈ Commerce .

Description description

Affected Products and Versions

51ºÚÁϲ»´òìÈ Commerce (all deployment methods):

  • 2.4.9-alpha2 and earlier
  • 2.4.8-p2 and earlier
  • 2.4.7-p7 and earlier
  • 2.4.6-p12 and earlier
  • 2.4.5-p14 and earlier
  • 2.4.4-p15 and earlier

51ºÚÁϲ»´òìÈ Commerce B2B:

  • 1.5.3-alpha2 and earlier
  • 1.5.2-p2 and earlier
  • 1.4.2-p7 and earlier
  • 1.3.4-p14 and earlier
  • 1.3.3-p15 and earlier

Magento Open Source:

  • 2.4.9-alpha2 and earlier
  • 2.4.8-p2 and earlier
  • 2.4.7-p7 and earlier
  • 2.4.6-p12 and earlier
  • 2.4.5-p14 and earlier

Custom Attributes Serializable module:

  • versions 0.1.0 to 0.4.0

Issue

A potential attacker could take over customer accounts in 51ºÚÁϲ»´òìÈ Commerce through the Commerce REST API.

Resolution resolution

CVE-2025-54236: potential attacker could take over customer accounts through the Commerce REST API

For Custom Attributes Serializable module versions:

This guidance applies only if your 51ºÚÁϲ»´òìÈ Commerce instance currently has an older version of the Custom Attributes Serializable module (magento/out-of-process-custom-attributes module) installed.

NOTE:

  • If the Custom Attributes Serializable module (magento/out-of-process-custom-attributes module) isn’t installed in your environment, you can disregard this instruction and proceed with applying the provided hotfix patch .
  • If you’re already running the latest version of the Custom Attributes Serializable module, no upgrade is necessary. Proceed with applying the provided hotfix patch .

Make sure to apply the provided hotfix patch to fully remediate the vulnerability.

Applicable versions: 0.1.0 - 0.3.0

Update Custom Attributes Serializable module to version 0.4.0 or higher.

To update the module, this  composer command can be executed:

composer require magento/out-of-process-custom-attributes=0.4.0 --with-dependencies

For 51ºÚÁϲ»´òìÈ Commerce versions:

  • 2.4.9-²¹±ô±è³ó²¹1,Ìý2.4.9-²¹±ô±è³ó²¹2
  • 2.4.8, 2.4.8-p1, 2.4.8-p2
  • 2.4.7, 2.4.7-p1, 2.4.7-p2, 2.4.7-p3, 2.4.7-p4, 2.4.7-p5, 2.4.7-p6, 2.4.7-p7
  • 2.4.6, 2.4.6-p1, 2.4.6-p2, 2.4.6-p3, 2.4.6-p4, 2.4.6-p5, 2.4.6-p6, 2.4.6-p7, 2.4.6-p8, 2.4.6-p9 2.4.6-p10, 2.4.6-p11, 2.4.6-p12
  • 2.4.5, 2.4.5-p1, 2.4.5-p2, 2.4.5-p3, 2.4.5-p4, 2.4.5-p5, 2.4.5-p6, 2.4.5-p7, 2.4.5-p8, 2.4.5-p9, 2.4.5-p10, 2.4.5-p11, 2.4.5-p12, 2.4.5-p13, 2.4.5-p14
  • 2.4.4, 2.4.4-p1, 2.4.4-p2, 2.4.4-p3, 2.4.4-p4, 2.4.4-p5, 2.4.4-p6, 2.4.4-p7, 2.4.4-p8, 2.4.4-p9, 2.4.4-p10, 2.4.4-p11, 2.4.4-p12, 2.4.4-p13, 2.4.4-p14, 2.4.4-p15

For 51ºÚÁϲ»´òìÈ Commerce B2B versions:

  • 1.5.3-alpha1, 1.5.3-alpha2
  • 1.5.2, 1.5.2-p1, 1.5.2-p2
  • 1.5.1
  • 1.5.0
  • 1.4.2, 1.4.2-p1, 1.4.2-p2, 1.4.2-p3, 1.4.2-p4, 1.4.2-p5, 1.4.2-p6, 1.4.2-p7
  • 1.4.1
  • 1.4.0
  • 1.3.5, 1.3.5-p1, 1.3.5-p2, 1.3.5-p3, 1.3.5-p4, 1.3.5-p5, 1.3.5-p6, 1.3.5-p7, 1.3.5-p8,1.3.5-p9, 1.3.5-p10, 1.3.5-p12
  • 1.3.4, 1.3.4-p1, 1.3.4-p2, 1.3.4-p3, 1.3.4-p4, 1.3.4-p5, 1.3.4-p6, 1.3.4-p7, 1.3.4-p8, 1.3.4-p9, 1.3.4-p10, 1.3.4-p11, 1.3.4-p12, 1.3.4-p13, 1.3.4-p14
  • 1.3.3, 1.3.3-p1, 1.3.3-p2, 1.3.3-p3, 1.3.3-p4, 1.3.3-p5, 1.3.3-p6, 1.3.3-p7, 1.3.3-p8, 1.3.3-p9, 1.3.3-p10, 1.3.3-p11, 1.3.3-p12, 1.3.3-p13, 1.3.3-p14, 1.3.3-p15

For Magento Open Source versions:

  • 2.4.9-²¹±ô±è³ó²¹1,Ìý2.4.9-²¹±ô±è³ó²¹2
  • 2.4.8, 2.4.8-p1, 2.4.8-p2
  • 2.4.7, 2.4.7-p1, 2.4.7-p2, 2.4.7-p3, 2.4.7-p4, 2.4.7-p5, 2.4.7-p6, 2.4.7-p7
  • 2.4.6, 2.4.6-p1, 2.4.6-p2, 2.4.6-p3, 2.4.6-p4, 2.4.6-p5, 2.4.6-p6, 2.4.6-p7, 2.4.6-p8, 2.4.6-p9 2.4.6-p10, 2.4.6-p11, 2.4.6-p12
  • 2.4.5, 2.4.5-p1, 2.4.5-p2, 2.4.5-p3, 2.4.5-p4, 2.4.5-p5, 2.4.5-p6, 2.4.5-p7, 2.4.5-p8, 2.4.5-p9, 2.4.5-p10, 2.4.5-p11, 2.4.5-p12, 2.4.5-p13, 2.4.5-p14

Apply the following hotfix or upgrade to the latest security patch:

How to apply the hotfix

Unzip the file and see How to apply a composer patch provided by 51ºÚÁϲ»´òìÈ in our support knowledge base for instructions.

For 51ºÚÁϲ»´òìÈ Commerce on Cloud merchants only - How to tell whether patches have been applied

Considering that it isn’t possible to easily determine if the issue was patched, it’s recommended that you check whether the CVE-2025-54236 isolated patch has been successfully applied.

NOTE: You can do this by taking the following steps, using the file VULN-27015-2.4.7_COMPOSER.patch as an example:

  1. Install the Quality Patches Tool.

  2. Run the command:

    vendor/bin/magento-patches -n status | grep "27015\|Status"

  3. You should see output similar to this, where ³Ù³ó¾±²õÌý±ð³æ²¹³¾±è±ô±ð VULN-27015 returns the Applied status:

    code language-none 
    ║ Id            │ Title                                                        │ Category        │ Origin                 │ Status      │ Details                                          ║
           ║ N/A           │ ../m2-hotfixes/VULN-27015-2.4.7_COMPOSER_patch.patch         │ Other           │ Local                  │ Applied     │ Patch type: Custom

Security updates

Security updates available for 51ºÚÁϲ»´òìÈ Commerce:

recommendation-more-help
3d58f420-19b5-47a0-a122-5c9dab55ec7f