Adobe Commerce | Uncontrolled Resource Consumption (CWE-400)
Description
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by a Uncontrolled Resource Consumption vulnerability that could lead in minor application denial-of-service. Exploitation of this issue does not require user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce versions before 2.4.7, 2.4.6-p3, 2.4.5-p5, and 2.4.4-p6 are vulnerable to a resource exhaustion bug causing minor denial-of-service without user interaction.
Vulnerability
Description CVE-2023-38251 is an Uncontrolled Resource Consumption vulnerability in Adobe Commerce. The flaw affects versions 2.4.7-beta1 and earlier, 2.4.6-p2 and earlier, 2.4.5-p4 and earlier, and 2.4.4-p5 and earlier [1]. Root cause analysis points to improper handling of resource allocation in certain requests, allowing an attacker to consume server resources without proper limits.
Attack
Vector Exploitation does not require user interaction, meaning an attacker can trigger the resource consumption remotely by sending specially crafted requests [1]. The attack complexity is low, and no authentication is needed, making it accessible to unauthenticated attackers over the network.
Impact
Successful exploitation leads to a minor application denial-of-service (DoS) condition [1]. While the impact is considered minor, repeated exploitation could degrade service availability for legitimate users. The vulnerability does not affect data integrity or confidentiality.
Mitigation
Adobe has released security updates in October 2023 to address this issue. Users should upgrade to Adobe Commerce 2.4.7, 2.4.6-p3, 2.4.5-p5, or 2.4.4-p6 or later. No workarounds are documented, and the vendor advises applying the latest patches [1]. For Magento Open Source users, the project repository on GitHub provides source code for self-managed deployments [2].
- NVD - CVE-2023-38251
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-beta2 | 2.4.7-beta2 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p3 | 2.4.6-p3 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p5 | 2.4.5-p5 |
magento/community-editionPackagist | >= 2.4.4-p1, < 2.4.4-p6 | 2.4.4-p6 |
magento/project-community-editionPackagist | <= 2.0.2 | — |
Affected products
4- Range: <=2.4.7-beta1, <=2.4.6-p2, <=2.4.5-p4, <=2.4.4-p5
- ghsa-coords2 versions
>= 2.4.7-beta1, < 2.4.7-beta2+ 1 more
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-beta2
- (no CPE)range: <= 2.0.2
- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-7pfc-834q-h497ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb23-50.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-38251ghsaADVISORY
News mentions
0No linked articles in our index yet.