Security Improvements
This release includes the same security fixes and platform improvements as Adobe Commerce 2.4.6-p5, 2.4.5-p7, and 2.4.4-p8. Although there have been no confirmed attacks to date, certain vulnerabilities could potentially be exploited to gain access to customer information or take over admin sessions. Most of these issues require an attacker to first gain access to the admin area. Therefore, it is essential to protect your admin area by, among other things:
IP whitelisting
Two-factor authentication
Using a VPN
Using a unique location instead of /admin
Good password practices
Additional Security Improvements
Changes to cache keys: Non-generated cache keys for blocks now include prefixes that differ from automatically generated keys. These keys can now only contain letters, numbers, hyphens (-), and underscores (_).
Limit on automatically generated discount codes: There is now a limit of 250,000 on the number of automatically generated discount codes. Merchants can adjust this limit via the new configuration option ‘Code Quantity Limit’ (Stores > Settings:Configuration > Customers > Promotions).
Optimization of default Admin URL generation: The generation of the default Admin URL has been optimized for increased randomness, making it less predictable.
New configuration setting for full-page cache: A new setting helps mitigate the risks associated with the endpoint {BASE-URL}/page_cache/block/esi. The default value is 100, but merchants can adjust this via the Admin (Stores > Settings:Configuration > System > Full Page Cache > Handles params size).
Support for Subresource Integrity (SRI): To comply with PCI 4.0 requirements, SRI support has been added for all JavaScript files on payment pages. Merchants can extend this configuration to other pages.
Changes in Content Security Policy (CSP): Updates and improvements have been made to the CSPs to comply with PCI 4.0 requirements. The default CSP configuration for payment pages is now ‘restrict mode’. For all other pages, the default configuration is ‘report-only mode’.
Rate limiting for payment information via REST and GraphQL APIs: Merchants can now configure rate limiting for payment information sent via REST and GraphQL, which helps prevent carding attacks.
Change in the behavior of the isEmailAvailable API: By default, this API now always returns ‘true’. Merchants can enable the original behavior by setting the option ‘Enable Guest Checkout Login’ in the Admin to ‘yes’, but this may expose customer information to unauthenticated users.
Platform Improvements
Compatibility with PHP 8.3: This release introduces support for PHP 8.3. Magento Open Source now supports both PHP 8.3 and 8.2. PHP 8.2 will be supported until December 2025. After that date, migration to PHP 8.3 is recommended.
Support for RabbitMQ 3.13: This release is compatible with RabbitMQ 3.13. While compatibility with RabbitMQ 3.11 and 3.12 is maintained, using version 3.13 is recommended.
Compatibility with Composer 2.7.x: Compatibility with Composer 2.2.x is retained.
Support for Varnish Cache 7.4: This release is compatible with Varnish Cache 7.4. While compatibility with versions 6.0.x and 7.2.x is maintained, using version 7.4 or version 6.0 LTS is recommended.
Compatibility with Elasticsearch 8.11 and OpenSearch 2.12 and 1.3: This release supports these versions.
Support for Redis 7.2: This release is compatible with Redis 7.2.
Replacing extjs with jsTree: The extjs library has been replaced with the latest version of jsTree.
Removal of jquery/fileUpload library: This library has been removed.
Update of JavaScript libraries and NPM dependencies: All JavaScript libraries and NPM dependencies in the core code of Magento Open Source have been updated to the latest available versions.
Update of Laminas library dependencies: All Laminas library dependencies have been updated to the latest versions compatible with PHP 8.3.
See all release notes at magento.com
