In today’s ecommerce landscape, security isn’t just an option—it’s a necessity. Every Magento or Adobe Commerce store owner must stay informed about critical security updates, alongside features and performance enhancements, to ensure their store remains protected.
Security is very important for any online shopping website. Just one weak spot can put many customers’ personal data and money at risk. Adobe recently found a serious problem (CVE-2025-54236) in Adobe Commerce and Magento Open Source. This problem affects the REST API and could allow bad people to take over customer accounts without permission.
1. Overview of CVE-2025-54236
CVE-2025-54236 is a security issue found in Adobe Commerce and Magento Open Source. It affects the system’s REST API, which is used to communicate and share data. Because of this problem, hackers can potentially access customer accounts without permission, putting personal information and data at risk. It’s important for website owners to fix this problem to keep their customers safe.
The type of vulnerability: incorrect input validation (CWE-20), which allows bypassing security features.
- Security concerns:
- Someone else gets into customer accounts without permission.
- Personal details, addresses, and saved payment info are stolen.
- There is a risk of big fraud problems and harm to the company’s reputation.
- Affected versions:
- This applies to Adobe Commerce and Magento Open Source 2.4.x versions that have not yet installed the latest hotfix.
2. How to fix the problems + Versions that are affected
- Adobe has released a patch called VULN-32437-2-4-X to fix the security issue CVE-2025-54236.
- If you’re using that module and your version is between 0.1.0 and 0.3.0, you should update to version 0.4.0 or higher. Use this command to do it:
- composer require magento/out-of-process-custom-attributes=0.4.0 –with-dependencies
- If you can, update to the newest version that has the fix. Even if you use a quick fix now, it’s best to keep your system updated regularly. Adobe says this update is important, so you should check and update your system often.
3. Here is a list of the versions that need this important update.
| Affected Products | Affected Versions |
|---|---|
| Adobe Commerce |
|
| Adobe Commerce B2B |
|
| Magento Open Source |
|
| Custom Attributes Serializable module |
|
4. How to Use the Hotfix in Your Store?
- For Adobe Commerce on Cloud Platform
- Download the patch zip file and unzip it.
- Create a folder named m2-hotfixes in your main project folder.
- Copy the %patch_name%.composer.patch file(s) into the m2-hotfixes folder.
- Make the changes, save, and upload your code.
- For Adobe Commerce installed on your own server and Magento Open Source.
- Upload the patch file to the main folder of your Adobe Commerce or Magento Open Source website.
- Open your terminal and run this command to apply the patch:
patch -p1 < %patch_name%.composer.patch - If it doesn’t work, try:
patch -p2 < %patch_name%.composer.patch - Then, go to the Admin panel, go to System -> Cache Management, and refresh the cache.
Don’t forget to update the patch today to prevent hackers from gaining access in the future.
