Adobe Commerce | Business Logic Errors (CWE-840)
Description
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a Business Logic Error vulnerability that could result in a security feature bypass. An attacker could exploit this vulnerability to circumvent intended security mechanisms by manipulating the logic of the application's operations causing limited data modification. Exploitation of this issue does not require user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A business logic error in Adobe Commerce allows unauthenticated attackers to bypass security features and modify limited data.
Vulnerability
Overview
CVE-2025-24425 is a Business Logic Error vulnerability in Adobe Commerce affecting versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier. The flaw arises from an error in the application's operational logic, which can be manipulated to circumvent intended security mechanisms [1].
Attack
Vector
An attacker can exploit this vulnerability without any user interaction or authentication. The attack is performed by manipulating the application's business logic operations, leading to a security feature bypass [1]. The exact attack vector is not detailed further in the available references.
Impact
Successful exploitation allows an attacker to achieve limited data modification. While the impact is confined to data modification rather than complete data compromise, this can still undermine the integrity of the affected system [1].
Mitigation
Adobe has released patches for the affected versions. Users are advised to upgrade to the latest versions of Adobe Commerce or Magento Open Source (the open-source foundation of Adobe Commerce) to remediate this vulnerability [1][2].
- NVD - CVE-2025-24425
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p4 | 2.4.7-p4 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p9 | 2.4.6-p9 |
magento/community-editionPackagist | >= 2.4.5-p1, < 2.4.5-p11 | 2.4.5-p11 |
magento/community-editionPackagist | < 2.4.4-p12 | 2.4.4-p12 |
magento/project-community-editionPackagist | <= 2.0.2 | — |
Affected products
4- Range: <= 2.4.8-beta1
- ghsa-coords2 versions
>= 2.4.7-beta1, < 2.4.7-p4+ 1 more
- (no CPE)range: >= 2.4.7-beta1, < 2.4.7-p4
- (no CPE)range: <= 2.0.2
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-6ff8-jrfg-43hhghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb25-08.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-24425ghsaADVISORY
News mentions
0No linked articles in our index yet.