Magento 2 store owners, it’s time to take quick action. Adobe recently released an important security update fixing a critical issue that could allow unauthorized code execution. If your store hasn’t been patched yet, you should act immediately. After applying the patch, take one more important step - disable unused and risky file upload endpoints such as customer address file uploads.
Good news - Adobe’s official patch is out
Good news: Adobe managed to complete the issue on time and rolled out an emergency patch that completely fixes the vulnerability.
Now it’s your turn - apply the patch and protect your store. Don’t delay, act now.
Follow Adobe’s official instructions here: Adobe Patch Instructions.
How to apply the patch
Download the patch VULN-32437-2-4-X and run the following commands from your Magento 2 root directory:
curl -LO https://repo.magento.com/patch/VULN-32437-2-4-X-patch.zip
unzip VULN-32437-2-4-X-patch.zip
patch -p1 < VULN-32437_2.4.X.patch && \
php -d memory_limit=-1 bin/magento cache:cleanAfter running these commands, you should see a change in vendor/magento/framework/Webapi/ServiceInputProcessor.php similar to this:
diff --git a/vendor/magento/framework/Webapi/ServiceInputProcessor.php b/vendor/magento/framework/Webapi/ServiceInputProcessor.php
index ba58dc2bc7acf..06919af36d2eb 100644
--- a/vendor/magento/framework/Webapi/ServiceInputProcessor.php
+++ b/vendor/magento/framework/Webapi/ServiceInputProcessor.php
@@ -246,6 +246,13 @@ private function getConstructorData(string $className, array $data): array
if (isset($data[$parameter->getName()])) {
$parameterType = $this->typeProcessor->getParamType($parameter);
+ // Allow only simple types or Api Data Objects
+ if (!($this->typeProcessor->isTypeSimple($parameterType)
+ || preg_match('~\\\\?\w+\\\\\w+\\\\Api\\\\Data\\\\~', $parameterType) === 1
+ )) {
+ continue;
+ }
+
try {
$res[$parameter->getName()] = $this->convertValue($data[$parameter->getName()], $parameterType);
} catch (\ReflectionException $e) {
Integration of the Patch in Later Versions
As of October 14, Adobe officially included the fix in the APSB25-94 release. You can verify this in the Adobe Security Bulletin.
Stores running the following versions are already protected:
- Magento 2.4.6-p13
- Magento 2.4.7-p8
- Magento 2.4.8-p3
If you are on one of these releases, you’re all set - but double-check your update status to be sure you’re protected from APSB25-94 and related vulnerabilities.
Now, secure your store even further
After patching, take the next proactive step: eliminate unnecessary upload endpoints to minimize future risks. One of them is the Customer Address File Upload endpoint in Magento 2.
basecom/magento2-disable-customer-address-file-uploadPurpose: Disables the customer address file upload endpoint, which can be exploited for malicious file uploads or remote code execution.
Install the Basecom module
Here’s how to install and activate it safely:
composer require basecom/magento2-disable-customer-address-file-upload
bin/magento module:enable Basecom_DisableCustomerAddressFileUpload
bin/magento setup:upgrade
bin/magento cache:cleanOnce enabled, any file upload attempts via the customer address form or API will be blocked, closing a potential attack surface that many stores overlook.
Final thoughts
Security is an ongoing process. Applying Adobe’s latest patch keeps your Magento 2 core secure, and disabling risky features like address file uploads makes your store even safer. Combine both steps to achieve layered protection and peace of mind.