An uncontrolled resource consumption flaw in Adobe Commerce allows an attacker to deplete system resources, leading to application downtime. The vulnerability is categorized as CWE‑400 and requires no user interaction to be exploited. Successful exploitation would result in the service becoming unavailable to legitimate users, with potential ripple effects on dependent systems and revenue.

Adobe Commerce is affected in versions 2.4.9‑beta1, 2.4.8‑p4, 2.4.7‑p9, 2.4.6‑p14, 2.4.5‑p16, 2.4.4‑p17 and all earlier releases. The CVE advisory lists these exact releases, indicating that any installation of these or older builds is vulnerable.

The CVSS score of 7.5 denotes high severity. Because the EPSS score is not available, the likelihood of exploitation is uncertain, yet the core issue does not require user interaction, making it potentially exploitable by remote actors. The vulnerability is not referenced in the CISA KEV catalog. An attacker would likely send crafted traffic or requests that strain server resources, exploiting the lack of proper limits in the application code.