How ZeroPath Works
Back to Blog

Adobe Commerce CVE-2025-54264: Brief Summary of a Critical Stored XSS Vulnerability

This post provides a brief summary of CVE-2025-54264, a critical stored cross-site scripting vulnerability affecting Adobe Commerce and Magento Open Source. It covers technical details, affected versions, patch information, and vendor security history based on available sources.
CVE Analysis

13 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-14

Adobe Commerce CVE-2025-54264: Brief Summary of a Critical Stored XSS Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Session hijacking and privilege escalation attacks on e-commerce platforms can directly impact business operations, customer trust, and regulatory compliance. Adobe Commerce (formerly Magento) is widely used by online retailers, making vulnerabilities in this platform particularly significant for the global digital economy.

Adobe Commerce and Magento Open Source are leading e-commerce solutions powering thousands of online stores worldwide. Their flexibility and extensibility have made them a popular choice for businesses of all sizes, from small retailers to large enterprises. Adobe, the vendor behind these platforms, maintains a proactive security program and regularly issues security advisories and patches to address newly discovered vulnerabilities.

Technical Information

CVE-2025-54264 is a stored cross-site scripting vulnerability (CWE-79) affecting Adobe Commerce and Magento Open Source. Attackers with high-privileged access can inject malicious JavaScript into certain form fields within the administrative interface. This malicious code is then stored in the application's database and will execute in the browser of any user who later accesses the affected page. The attack is possible over the network and does not require complex preconditions, but it does require the attacker to have high privileges and for a victim to interact with the compromised page.

The root cause is insufficient input validation and output encoding for specific form fields, allowing user-supplied data to be rendered as executable JavaScript. The vulnerability is classified as having a changed scope, meaning that exploitation can affect components beyond the initially vulnerable one. The main risk is session hijacking, where an attacker can impersonate users by stealing session cookies or tokens, leading to further privilege escalation or data compromise. No public proof of concept or vulnerable code snippets are available at this time.

Patch Information

Adobe has released security updates for Adobe Commerce and Magento Open Source to address several vulnerabilities, including CVE-2025-54264. To mitigate these risks, Adobe recommends updating your installation to the latest versions:

  • Adobe Commerce:

    • 2.4.9-alpha3 for 2.4.9-alpha2
    • 2.4.8-p3 for 2.4.8-p2 and earlier
    • 2.4.7-p8 for 2.4.7-p7 and earlier
    • 2.4.6-p13 for 2.4.6-p12 and earlier
    • 2.4.5-p15 for 2.4.5-p14 and earlier
    • 2.4.4-p16 for 2.4.4-p15 and earlier

  • Adobe Commerce B2B:

    • 1.5.3-alpha3 for 1.5.3-alpha2
    • 1.5.2-p3 for 1.5.2-p2 and earlier
    • 1.4.2-p8 for 1.4.2-p7 and earlier
    • 1.3.4-p13 for 1.3.4-p12 and earlier
    • 1.3.3-p14 for 1.3.3-p13 and earlier
    • 1.3.3-p16 for 1.3.3-p15 and earlier

  • Magento Open Source:

    • 2.4.9-alpha3 for 2.4.9-alpha2
    • 2.4.8-p3 for 2.4.8-p2 and earlier
    • 2.4.7-p8 for 2.4.7-p7 and earlier
    • 2.4.6-p13 for 2.4.6-p12 and earlier
    • 2.4.5-p15 for 2.4.5-p14 and earlier

These updates are categorized with a priority rating of 2, indicating that they address vulnerabilities that could potentially be exploited, though Adobe is not aware of any exploits in the wild for the issues addressed. It is crucial to apply these updates promptly to ensure the security and integrity of your Adobe Commerce or Magento Open Source installations.

For detailed installation instructions and release notes, please refer to the 2.4.x release notes.

Affected Systems and Versions

CVE-2025-54264 affects the following products and versions:

  • Adobe Commerce: 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and all earlier versions
  • Adobe Commerce B2B: 1.5.3-alpha2, 1.5.2-p2, 1.4.2-p7, 1.3.4-p12, 1.3.3-p13, 1.3.3-p15 and all earlier versions
  • Magento Open Source: 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14 and all earlier versions

Any installation running these versions without the latest patches is vulnerable. Both default and customized deployments are affected if they include the vulnerable code paths.

Vendor Security History

Adobe Commerce (Magento) has previously been affected by vulnerabilities including cross-site scripting, remote code execution, and privilege escalation. Adobe typically responds quickly to new reports, issuing advisories and patches within weeks. The company maintains a public bug bounty program and coordinates with security researchers for responsible disclosure. Their security bulletins are detailed and include clear patch instructions, reflecting a mature vulnerability management process.

References

Detect & fix
what others miss

Get startedBook a demo