CVE-2025-24438 Overview
CVE-2025-24438 is a stored Cross-Site Scripting (XSS) vulnerability affecting Adobe Commerce, Adobe Commerce B2B, and Magento Open Source. The flaw exists in vulnerable form fields where input is not properly sanitized before being rendered. A low-privileged attacker can inject malicious JavaScript that executes in a victim's browser when they view the affected page. Successful exploitation enables session takeover, allowing attackers to hijack authenticated sessions, including administrator accounts. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation).
Critical Impact
Attackers can execute arbitrary JavaScript in victim browsers, leading to session hijacking and full administrative account takeover on Adobe Commerce storefronts.
Affected Products
- Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier
- Adobe Commerce B2B versions 1.5.0, 1.4.2-p3, 1.3.5-p8, 1.3.4-p10, 1.3.3-p11 and earlier
- Magento Open Source 2.4.4 through 2.4.8-beta1
Discovery Timeline
- 2025-02-11 - CVE-2025-24438 published to NVD
- 2025-02-11 - Adobe releases security patch via advisory APSB25-08
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-24438
Vulnerability Analysis
The vulnerability is a stored XSS flaw in Adobe Commerce form fields. Stored XSS occurs when an application accepts user-supplied input, persists it in a backend data store, and later renders it in a web page without proper encoding or sanitization. In this case, the affected form fields fail to neutralize JavaScript payloads before saving them to the database.
When another user—such as an administrator, customer service operator, or shopper—browses to a page containing the injected content, the browser parses the malicious markup and executes the embedded JavaScript in the context of the trusted Commerce origin. Because the scope flag is changed (S:C), the impact crosses security boundaries between the storefront and admin contexts.
Root Cause
The root cause is improper neutralization of input during web page generation, mapped to [CWE-79]. The application accepts attacker-controlled content in form fields without applying contextual output encoding when the data is later rendered in HTML responses. Because the payload is persisted in the database, every subsequent visitor to the affected page becomes a potential victim, unlike reflected XSS which requires per-victim delivery.
Attack Vector
Exploitation requires a low-privileged authenticated account, such as a registered customer or low-tier staff user, and user interaction by the victim (browsing to the vulnerable page). The attacker submits a crafted payload into a vulnerable form field. When the victim visits the page rendering that field, the JavaScript executes in their browser session.
A successful payload can read session cookies, issue authenticated requests on the victim's behalf, modify storefront content, exfiltrate customer data, or pivot to admin-level functions if an administrator is the victim. See the Adobe security advisory APSB25-08 for vendor-supplied technical details.
Detection Methods for CVE-2025-24438
Indicators of Compromise
- Unexpected <script> tags, javascript: URIs, or HTML event handlers (onerror, onload, onclick) stored in Commerce database tables tied to user-editable form fields.
- Anomalous outbound HTTP requests from administrator browsers to attacker-controlled hosts shortly after viewing customer or catalog records.
- Unusual session activity such as admin sessions originating from new IP addresses or geographies following the injection window.
Detection Strategies
- Audit Adobe Commerce database tables for persisted form field values containing HTML control characters or JavaScript keywords using SQL pattern queries.
- Deploy a Content Security Policy (CSP) in report-only mode to surface inline script execution attempts that violate policy on Commerce pages.
- Review web server and application logs for POST requests from low-privileged users containing encoded payload markers such as %3Cscript%3E or onerror=.
Monitoring Recommendations
- Monitor administrator login sessions for token reuse across distinct IP addresses, which can indicate a stolen session cookie.
- Track changes to customer, order, and catalog entities by low-privileged accounts and correlate with subsequent admin page views.
- Enable Adobe Commerce action logs and forward them to a centralized SIEM for retention and correlation with web application firewall (WAF) telemetry.
How to Mitigate CVE-2025-24438
Immediate Actions Required
- Apply the Adobe Commerce security updates published in advisory APSB25-08 on all production, staging, and development instances.
- Invalidate active administrator and customer sessions after patching to revoke any tokens that may have been captured through prior exploitation.
- Review recent form submissions and database entries created by low-privileged accounts for persisted script payloads and remove malicious content.
Patch Information
Adobe released fixed versions addressing CVE-2025-24438 in security bulletin APSB25-08. Upgrade Adobe Commerce to a patched release beyond 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, or 2.4.4-p11. Adobe Commerce B2B and Magento Open Source must also be updated to the corresponding patched versions. Refer to the Adobe Magento Security Advisory for the complete version matrix and download links.
Workarounds
- Deploy a strict Content Security Policy that disallows inline scripts and restricts script sources to known origins to limit XSS execution.
- Configure a web application firewall (WAF) with rules to block common XSS payload patterns submitted to Commerce form endpoints.
- Restrict creation of low-privileged accounts and require email verification to raise the cost of attacker reconnaissance and payload delivery.
# Example Content Security Policy header for Adobe Commerce
Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'nonce-{RANDOM}'; object-src 'none'; base-uri 'self'; frame-ancestors 'self';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

