CVE-2025-24432: 
PHP vulnerability analysis and mitigation

Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could result in a security feature bypass. The vulnerability was discovered and disclosed on February 11, 2025, and was assigned identifier CVE-2025-24432 (NVD, Adobe Security).

The vulnerability is classified as a Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367). It has been assigned a CVSS v3.1 base score of 3.7 (LOW) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility with high attack complexity, no privileges required, and no user interaction needed (Adobe Security).

An attacker could exploit this race condition to alter a condition after it has been checked but before it is used, potentially bypassing security mechanisms (NVD).

Adobe has released security updates to address this vulnerability. The recommended versions are: 2.4.8-beta2 for 2.4.8-beta1 users, 2.4.7-p4 for 2.4.7-p3 and earlier, 2.4.6-p9 for 2.4.6-p8 and earlier, 2.4.5-p11 for 2.4.5-p10 and earlier, and 2.4.4-p12 for 2.4.4-p11 and earlier (Adobe Security).

The vulnerability was reported by security researcher sheikhrishad0, as acknowledged in Adobe's security bulletin (Adobe Security).