Magento Open Source 2.4.3 introduces enhancements to performance and security plus significant platform improvements. Security enhancements include expansion of reCAPTCHA coverage and inclusion of built-in rate limiting. Core composer dependencies and third-party libraries have been upgraded to the latest versions that are compatible with PHP 8.x. Page Builder is now available as a bundled extension in Magento Open Source. It is now the default content editing tool for Adobe Commerce and Magento Open Source.
This release includes over 370 new fixes to core code and 33 security enhancements. It includes the resolution of almost 290 GitHub issues by our community members. These community contributions range from minor clean-up of core code to significant enhancements in GraphQL.
This release includes over 370 new fixes to core code and 33 security enhancements. All known issues identified in the Magento Open Source 2.4.2 release notes have been fixed in this release.
Quarterly releases may contain backward-incompatible changes (BIC). Magento Open Source 2.4.2 contains minor backward-incompatible changes. To review minor backward-incompatible changes, see BIC reference. (Major backward-incompatible issues are described in BIC highlights. Not all releases introduce major BICs.)
See Adobe Commerce 2.4.2-p2 release notes for information about Adobe Commerce 2.4.2-p2.
Although code for these features is bundled with quarterly releases of the Magento core code, several of these projects (for example, Progressive Web Applications (PWA) Studio) are also released independently. Bug fixes for these projects are documented in the separate, project-specific release information that is available in the documentation for each project.
Apply MC-43048__set_rate_limits__2.4.3.patch to address issue with API rate limiting
This hotfix provides a solution for the issue where Web APIs cannot process requests that contain more than 20 items in an array. This issue affects deployments running Magento Open Source 2.4.3, Adobe Commerce 2.4.3, or Magento 2.3.7-p1. Built-in rate limiting was added to these releases to prevent denial-of-service (DoS) attacks, and the default maximum was set to 20. This patch reverts the default limit to a higher value. If you suspect that your store is experiencing a DoS attack, Adobe recommends lowering the default input limits to a lower value to restrict the number of resources that can be requested. See the Web API unable to process requests with more than 20 items in array Knowledge Base article.
Apply AC-384__Fix_Incompatible_PHP_Method__2.4.3_ce.patch to address PHP fatal error on upgrade
The following fatal error can occur during upgrade to Magento Open Source 2.4.3:
PHP Fatal error: Uncaught Error: Call to undefined function Magento\Framework\Filesystem\Directory\str_contains() in [...]/magento/vendor/magento/framework/Filesystem/Directory/DenyListPathValidator.php:74
This error results from the use of the
str_contains function, which is an PHP 8.x function. Magento Open Source 2.4.3 does not support PHP 8.x. This hotfix replaces this function with a supported PHP 7.x function. See the Adobe Commerce upgrade 2.4.3, 2.3.7-p1 PHP Fatal error Hotfix Knowledge Base article.
Look for the following highlights in this release.
Substantial security enhancements
This release includes 33 security fixes and platform security improvements. Many of these security fixes have been backported to Magento 2.4.2-p2 and Magento 2.3.7-p1.
Thirty-three security enhancements that help close remote code execution (RCE) and cross-site scripting (XSS) vulnerabilities
No confirmed attacks related to these issues have occurred to date. However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions. Most of these issues require that an attacker first obtains access to the Admin. As a result, we remind you to take all necessary steps to protect your Admin, including but not limited to these efforts: IP allowlisting, two-factor authentication, use of a VPN, the use of a unique location rather than
/admin, and good password hygiene. See Adobe Security Bulletin for a discussion of these fixed issues.
Additional security enhancements
Security improvements for this release improve compliance with the latest security best practices, including:
- A new Composer plugin helps prevent dependency confusion and identifies malicious packages with the same names as internal packages on the public package repository. See the Adobe Releases New Composer Plugin with Magento 2.4.3 Release blog post.
- Rate limiting is now built in to Magento APIs to prevent denial-of-service (DoS) attacks. Web APIs now impose restrictions on the size or number of resources (the default maximum is set to 20 and can be configured to a different value based on business need) that can be requested by a client. See Rate limiting for information about configuring these restrictions.
- ReCAPTCHA coverage has been extended to include:
- Web APIs that have corresponding HTML pages are covered through ReCAPTCHA. (This excludes web APIs that are accessed by integrations.) ReCAPTCHA coverage protects endpoints from spam attacks. When web APIs are accessed by a third-party integration service that uses OAuth, ReCAPTCHA is disabled.
- The Place Order storefront page and payment-related web APIs. ReCAPTCHA protection for these pages is disabled by default and can be enabled from the Admin. This coverage adds an anti-brute force mechanism to protect stores from carding attacks.
Starting with the release of Magento Open Source 2.3.2, we will assign and publish indexed Common Vulnerabilities and Exposures (CVE) numbers with each security bug reported to us by external parties. This allows users to more easily identify unaddressed vulnerabilities in their deployment. You can learn more about CVE identifiers at CVE.
This release contains enhancements that improve the quality of the framework and the following functional areas:
- Customer Account
- Promotions and Targeting
- Cart and Checkout
- Staging and Preview
PayPal Pay Later is now supported in deployments that include PayPal. This feature allows shoppers to pay for an order in bi-weekly installments instead of paying the full amount at time of purchase.
use_application_lock indexing mode. The
use_application_lock mode lets you enable re-indexing through either the use of environment variables or by configuring the
app/etc/env.php file. You no longer need to manually reset the indexer after failure with this mode enabled. See Using application lock mode for reindex processes.
Magento 2.4.3 is not yet compatible with PHP 8.x, but the following platform upgrades bring us closer to future compatibility with PHP 8.x.
- Core Composer dependencies and third-party libraries have been upgraded to the latest versions that are compatible with PHP 8.x.
- The KnockoutJS library has been upgraded to v3.5.1 (the latest version).
- The deprecated TinyMCE v3 library has been removed. The
Magento_Tinymce3Bannermodule and MFTF tests related to TinyMCE v3.x have been removed from Adobe Commerce.
- Magento Open Source 2.4.3 has been tested and confirmed to be compatible with Redis 6.0.12. (Magento 2.4.x remains compatible with Redis 5.x.)
- Laminas library dependencies have been upgraded to PHP 8.x-compatible versions. Some redundant dependencies have been removed from the
composer.jsonfile. Magento Open Source 2.4.3 uses Laminas 3.4.0.
This release includes enhancements that decrease indexation time for Product Price and Catalog Rule indexers. Merchants can now exclude a website from a customer group or shared catalog, which reduces the number of records for indexing and improves indexing times.
Adobe Stock Integration
This release includes Adobe Stock Integration v2.1.1.
This release adds GraphQL coverage for shared routes. The route query and RoutableInterface support routing requests on product, category, and CMS pages. The
urlResolver query has been deprecated, and its functionality has been superseded by the
See the GraphQL Developer Guide for details on these enhancements.
Page Builder is now available as a bundled extension in Magento Open Source. It is now the default content editing tool for Adobe Commerce 2.4.3 and Magento Open Source 2.4.3. It can replace the WYSIWG editor with any third-party module.
Page Builder replaces the TinyMCE editor in the following Admin areas:
- CMS Page
- CMS Block
- Category Description
- Product Description
All the content created in TinyMCE has been migrated into Page Builder as HTML.
Upgrade Compatibility Tool
The scope of the Upgrade Compatibility Tool has been expanded based on feedback from the community. Join our #upgrade-compatibility-tool Slack channel to get support from the Adobe product team and the community, as well as to help guide the future direction of the tool.
Vendor Developed Extensions
See the following articles for updates on features and changes for this release: