CVE-2025-24416: Adobe Commerce Stored XSS Vulnerability

CVE-2025-24416 Overview

Adobe Commerce and Magento Open Source contain a stored Cross-Site Scripting (XSS) vulnerability [CWE-79] affecting versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, and earlier. A low-privileged attacker can inject malicious JavaScript into vulnerable form fields. The payload executes in a victim's browser when they visit the page containing the affected field. Successful exploitation enables session takeover, leading to high impact on confidentiality and integrity. Adobe Commerce B2B versions 1.5.0 and earlier are also affected. Adobe disclosed the vulnerability in security bulletin APSB25-08.

Critical Impact
A low-privileged attacker can store malicious JavaScript in Adobe Commerce form fields and hijack the sessions of users who view the affected page, including administrators.

Affected Products

Adobe Commerce 2.4.4 through 2.4.4-p11, 2.4.5 through 2.4.5-p10, 2.4.6 through 2.4.6-p8, 2.4.7 through 2.4.7-p3, and 2.4.8-beta1
Adobe Commerce B2B 1.3.3 through 1.5.0
Magento Open Source 2.4.4 through 2.4.8-beta1 (all corresponding patch levels)

Discovery Timeline

2025-02-11 - CVE-2025-24416 published to NVD
2025-04-16 - Last updated in NVD database

Technical Details for CVE-2025-24416

Vulnerability Analysis

The flaw is a stored Cross-Site Scripting (XSS) issue in Adobe Commerce form-handling logic. Input submitted to vulnerable form fields is persisted server-side without sufficient output encoding. When another user — including an administrator — later views the page rendering that stored content, the browser interprets the injected payload as executable JavaScript. Because the script runs in the victim's authenticated context, the attacker can read session cookies, issue authenticated requests, and modify data. The vulnerability is classified under [CWE-79] (Improper Neutralization of Input During Web Page Generation).

Root Cause

The root cause is missing or insufficient sanitization and contextual output encoding of user-supplied data rendered into HTML form contexts. The application stores attacker-controlled strings and later emits them into pages without escaping characters such as <, >, ", and '. This allows arbitrary HTML and <script> constructs to break out of the intended data context.

Attack Vector

Exploitation requires network access to the Commerce storefront or admin panel and a low-privileged authenticated account. The attacker submits a crafted payload into a vulnerable form field, which Adobe Commerce persists in the database. The payload triggers when a victim navigates to the rendering page, satisfying the user interaction requirement. The scope-changing nature of the flaw means the injected script executes in the victim's security context, enabling session takeover.

No verified public proof-of-concept code is available for this CVE. Refer to the Adobe Security Bulletin APSB25-08 for vendor-confirmed technical details.

Detection Methods for CVE-2025-24416

Indicators of Compromise

Form field values in the database containing HTML tags such as <script>, <img onerror=, <svg onload=, or javascript: URI schemes.
Unexpected outbound requests from admin or customer browser sessions to attacker-controlled domains shortly after rendering merchant pages.
Anomalous administrator session reuse from new IP addresses or user agents following a customer-submitted form entry.

Detection Strategies

Audit stored content in customer-facing and admin-facing fields for HTML or script tokens that should never appear in plain-text data.
Enable Content Security Policy (CSP) in report-only mode and review violation reports for inline-script execution attempts originating from Commerce pages.
Review web server access logs for POST requests to form endpoints containing URL-encoded <script> or event-handler attributes.

Monitoring Recommendations

Monitor administrator account activity for session token reuse across geographies or rapid privilege actions following page views.
Alert on database writes to product, customer, or CMS tables that contain script-like patterns.
Track changes to admin user accounts, API keys, and integration tokens that may indicate post-XSS session abuse.

How to Mitigate CVE-2025-24416

Immediate Actions Required

Apply the security updates referenced in Adobe Security Bulletin APSB25-08 to all Adobe Commerce, Adobe Commerce B2B, and Magento Open Source instances.
Inventory all Commerce deployments and confirm patch level against the affected version list before returning systems to production.
Rotate administrator credentials, API tokens, and integration secrets if signs of session hijacking are observed.

Patch Information

Adobe released fixes for CVE-2025-24416 on February 11, 2025. Upgrade Adobe Commerce to a version newer than 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, or 2.4.4-p11 per the applicable release line. Adobe Commerce B2B users should upgrade beyond 1.5.0. Full remediation details are available in the Adobe Security Bulletin APSB25-08.

Workarounds

Restrict access to form submission endpoints to trusted users and networks where feasible until patches are applied.
Deploy a web application firewall (WAF) rule set to block requests containing common XSS payload patterns targeting Commerce form fields.
Enforce a strict Content Security Policy that disallows inline scripts and restricts script sources to trusted origins.

bash

# Verify Adobe Commerce version after patching
php bin/magento --version

# Example WAF ModSecurity rule to block script tags in POST bodies
SecRule REQUEST_METHOD "@streq POST" \
  "chain,id:1024416,phase:2,deny,status:403,msg:'Possible XSS payload (CVE-2025-24416)'"
  SecRule REQUEST_BODY "@rx (?i)(<script|onerror=|onload=|javascript:)"