Update Your Magento Store to Latest version 2.4.8
Latest Magento Update and Patches Released as of 31st Oct 2025
Critical Update
The latest patch addresses the Session Reaper vulnerability, one of the most severe issues in Magento’s history. This flaw could allow unauthenticated attackers to hijack customer sessions and potentially execute remote code.
Latest Version of Magento: 2.4.8-p3 (view details) Oldest Supported Version of Magento: 2.4.6
End of Life: August 11, 2026
NOTE: Support for Magento 2.4.4 and 2.4.5 for Magento Open Source has ended, However for Adobe Commerce user the extended support is available till April 2026, and Aug 2026 respectively.
Latest Security Patch for Supported Version
Date of Release: 29th Oct 2025
Versions
Magento 2.4.8 (p3)
Magento 2.4.7 (p8)
Magento 2.4.6 (p13)
Magento 2.4.5 (p15) *
Magento 2.4.4 (p14) *
Based on the latest security bulletin (APSB25-26) released by Adobe on April 8, 2025, the following critical issues have been addressed:
Critical Issues Addressed
1. Session Reaper Vulnerability (CVE-2025-54236):
This issue affected REST API constructor parameter validation, potentially allowing improper data handling. The patch strengthens REST API validation and enforces stricter input sanitization to prevent misuse.
Note: A hotfix for this issue was previously released in September 2025 under APSB25-88.
2. Incorrect REST API Order Details (ACP2E-3874):
The REST API response for order details now returns accurate base_row_total and row_total values when multiple identical items are ordered, ensuring reliable reporting and order data accuracy.
3. Email Message Compatibility Issue (AC-15446):
Fixed an error in Magento\Framework\Mail\EmailMessage where getBodyText() attempted to call a non-existent getTextBody() method on Symfony\Component\Mime\Message. This ensures full compatibility with Magento 2.4.8-p2 and magento/framework 103.0.8-p2.
4. Insufficiently Protected Credentials (CVE-2025-27192):
Due to the end of support for TinyMCE 5/6 and licensing incompatibilities with TinyMCE 7, Adobe Commerce has migrated from TinyMCE to the open-source HugeRTE editor.
This migration eliminates known TinyMCE vulnerabilities, ensures open-source compliance, and provides a modern, supported WYSIWYG experience for developers and merchants.
5. Added Support for Apache ActiveMQ Artemis (STOMP):
This release introduces support for the Apache ActiveMQ Artemis open-source message broker via the Simple Text Oriented Messaging Protocol (STOMP), offering a more flexible and scalable messaging architecture for integrations.
For more detailed information, please refer to the official
Magento 2.4.8 - New Magento Version Stable is Released
Magento 2.4.8 introduces important updates in security, platform compatibility, and performance. Here are the highlights:
Security Enhancements
- Multiple security fixes with enhanced token validation and role-based access controls.
- Improved 2FA and reCAPTCHA behavior in both admin and storefront environments.
- Library updates to address vulnerabilities (e.g., Monolog, Flysystem, LessPHP).
- Crucial patching of the SessionReaper vulnerability (CVE-2025-54236), which prevented unauthenticated attackers from hijacking customer sessions and executing remote code via REST API. This fix is included in 2.4.8-p3 and related patches for earlier versions.
- Enhanced protections against privilege escalation, CSRF, cross-site scripting, and improper authorization flaws.
Improved Performance
- New indexers now default to “Update by Schedule” and begin in the “Ready” state, reducing manual steps.
- Optimized database queries for faster product and inventory operations.
- Stability and efficiency improvements for high-volume merchants.
Developer Experience
- Support for MySQL 8.4, MariaDB 11.4, Composer 2.4.x, and PHP 8.3.
- Deprecated Elasticsearch 8 support, paving the way for future enhancements.
- PHPUnit 10 readiness and upgraded JS/NPM packages.
- Cleaner admin UI with improved button labels and interface cues.
User Experience
- Updated Page Builder/WYSIWYG editor with better formatting control and reliability across content types.
- Accessibility improvements in admin and storefront views for better compliance.
About the Session Reaper Vulnerability
The Session Reaper vulnerability, tracked as CVE-2025-54236, is a critical security flaw found in multiple versions of Magento and Adobe Commerce platforms. It is among the most severe vulnerabilities in the history of Magento, allowing unauthenticated attackers to take over customer accounts and, in some cases, gain remote code execution on the server. This vulnerability exploits improper input validation and unsafe handling of serialized session data through Magento’s REST API, especially affecting stores using file-based session storage.
Attackers can upload malicious session files disguised as legitimate user sessions, leading to customer account takeovers, data theft, fraudulent orders, and possible full server control. Automated attacks have been widespread, with hundreds of Magento stores compromised shortly after proof-of-concept exploits became public. Moreover, attackers may upload PHP backdoors via vulnerable endpoints even after patching, if additional protections like specialized web application firewalls are not in place.
To protect your store, Adobe released emergency security patches across supported Magento versions. Each supported version now includes dedicated patches addressing the Session Reaper vulnerability:
- Magento 2.4.8– p3 patch
- Magento 2.4.7 -p8 patch
- Magento 2.4.6 -p13 patch
- Magento 2.4.5-p15 patch (only for Adobe Commerce).
- Magento 2.4.4-p14 (only for Adobe Commerce).
Important: Due to the critical nature and active exploitation of Session Reaper, you should immediately update to the latest Magento version or apply the latest security patches available to safeguard your store and customer data from this and related security risks. Additionally, consider scanning your codebase for any uploaded backdoors and tighten server security with specialized firewalls where possible.
This vulnerability underscores the importance of timely patching and monitoring for security threats in ecommerce environments.
About the Comic String Vulnerability
The Comic String vulnerability is a critical security issue identified across multiple versions of Magento. It is one of the biggest vulnerabilities in the history of the platform, it exposes Magento stores to potential attacks, allowing hackers to exploit unprotected endpoints, inject malicious code, or gain unauthorised access to sensitive data.
To safeguard your store, Adobe has released various patches that mitigate this vulnerability across supported versions of Magento. Each supported version of Magento now has dedicated security patches addressing this issue:
- Magento 2.4.7: Fully patched with release 2.4.7 itself, which also brings many security and performance enhancements.
- Magento 2.4.6-p5: Patch version `p5` resolves this vulnerability with additional security improvements.
- Magento 2.4.5-p7: Patch version `p7` ensures robust protection against the vulnerability.
- Magento 2.4.4-p8: Addressed with patch version `p8` to safeguard your platform.
NOTE: The stable of next Magento version 2.4.8 is available to updated. Make sure you update to the latest version or apply the latest security patch to protect your store from this and other security risks.
System Requirements for Magento 2.4.8
To run Magento 2.4.8 efficiently, make sure your environment meets the following requirements:
- PHP: Version 8.3/8.4
- MySQL: 8.4
- MariaDB :11.4
- Elasticsearch: 8.17 [Deprecated]
- Open Search: 2.19
- Varnish Cache: Version 7.6
- Redis: 8
- Composer: 2.8
- RabbitMQ: 4
Legacy Features and Updates in Previous Versions
If you’re upgrading from an earlier version, here’s a quick look at what’s new in recent versions:
Magento 2.4.7
- Includes over a dozen security fixes and validation enhancements.
- Improved GraphQL and REST API protection for sensitive data.
- Support added for PHP 8.3 and updated system dependencies.
- Boosted performance with optimized caching and indexing.
- Extended GraphQL coverage and a new Extension Metapackage for streamlined management.
Magento 2.4.6
- Over 150 bug fixes and quality improvements.
- Security enhancements like refined admin token validation.
- Support for PHP 8.2.
Magento 2.4.6
- Over 150 bug fixes and quality improvements.
- Security enhancements like refined admin token validation.
- Support for PHP 8.2.
Magento 2.4.5
- Introduction of asynchronous bulk APIs for efficient data management.
- Enhanced B2B capabilities including better quote and order management.
- Expanded GraphQL support for inventory and B2B functionalities.
Magento 2.4.4:
- Improved support for MySQL 8.0.
- Enhanced UI/UX in Page Builder.
- Support for Elasticsearch 7.16 and OpenSearch.
Why Upgrade?
Upgrading your Magento store is essential to maintaining security, performance, and compatibility with the latest technologies. With the Comic String vulnerability patched, enhanced GraphQL caching, and new developer tools, Magento 2.4.8 delivers a faster, safer, and more seamless shopping experience.
