The vulnerability is a flaw that allows an attacker to consume excessive system resources by sending specially crafted requests to Adobe Commerce. This leads to an application denial‑of‑service condition. The flaw falls under CWE‑400 and does not require user interaction to trigger.

Adobe Commerce releases 2.4.9‑beta1, 2.4.8‑p4, 2.4.7‑p9, 2.4.6‑p14, 2.4.5‑p16, 2.4.4‑p17 and all earlier versions are affected. Users running any of these versions are at risk until a patched version is applied.

The CVSS score of 7.5 indicates a high severity risk. Because the EPSS score is not available, the current exploitation probability cannot be quantified, but the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the issue remotely without authentication or user interaction, potentially overwhelming server resources and causing service disruption.