The vulnerability is a flaw that allows an attacker to consume excessive system resources by sending specially crafted requests to Adobe Commerce. This leads to an application denial‑of‑service condition. The flaw falls under CWE‑400 and does not require user interaction to trigger.

Adobe Commerce releases 2.4.9‑beta1, 2.4.8‑p4, 2.4.7‑p9, 2.4.6‑p14, 2.4.5‑p16, 2.4.4‑p17 and all earlier versions are affected. Users running any of these versions are at risk until a patched version is applied.

The CVSS score of 7.5 indicates a high severity risk. The EPSS score of 16% indicates a moderate likelihood of exploitation, but the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the issue remotely without authentication or user interaction, potentially overwhelming server resources and causing service disruption.