How to Apply Security Patches in Magento 2
Keeping Magento 2 secure requires applying security patches promptly. Adobe releases security patches regularly, both as standalone patches and as part of full version releases. Understanding the different patch types and how to apply them reduces the risk of both security vulnerabilities and deployment issues.
Types of Patches
Full Releases (e.g., 2.4.7, 2.4.8)
Full releases include new features, bug fixes, and all accumulated security patches. Upgrading to a new full release is the most comprehensive approach but requires thorough testing due to the scope of changes.
Security-Only Patches (e.g., 2.4.7-p1, 2.4.7-p2)
Security-only patches contain exclusively security fixes applied on top of a specific base release. They carry minimal risk of introducing regressions since they do not include feature changes or bug fixes unrelated to security.
For example, if you are running 2.4.7, you can apply 2.4.7-p1, then 2.4.7-p2, and so on, without needing to upgrade to 2.4.8.
Isolated Patches
Occasionally, Adobe releases isolated patches for critical vulnerabilities that must be addressed before the next scheduled release. These are typically small, single-file patches applied outside of Composer.
Checking for Available Patches
Adobe Security Bulletin
Subscribe to the Adobe Security Bulletin to receive notifications about new security patches. Each bulletin lists affected versions, severity ratings, and available patch versions.
Composer
Check which patches are available for your current version:
composer show magento/product-community-edition --available
Applying Patches via Composer
The standard method for applying patches in Magento 2 is through Composer.
Upgrading to a Security Patch Release
# Update to the latest patch version of your current release
composer require magento/product-community-edition=2.4.7-p3 --no-update
composer update magento/product-community-edition --with-dependencies
# Run the deployment sequence
php bin/magento setup:upgrade
php bin/magento cache:flush
php bin/magento setup:di:compile
php bin/magento setup:static-content:deploy
php bin/magento cache:clean
Using cweagans/composer-patches
For isolated patches or custom patches that are not distributed as Composer packages, use the cweagans/composer-patches plugin:
composer require cweagans/composer-patches
Add patches to your composer.json:
{
"extra": {
"patches": {
"magento/module-checkout": {
"Fix checkout validation": "patches/checkout-validation-fix.patch"
}
}
}
}
Then run:
composer install
The plugin applies patches automatically during composer install and composer update. Patches are tracked in composer.json, making them version-controlled and reproducible across environments.
Verification Steps
After applying a patch, verify it was applied correctly:
Check Version
php bin/magento --version
This shows the current Magento version including the patch level (e.g., 2.4.7-p3).
See also: How to Check Magento 2 Version
Verify Applied Patches
For patches applied via cweagans/composer-patches, check the output during composer install -- it lists each applied patch. You can also check:
composer show --installed | grep magento
Functional Testing
After applying security patches:
- Checkout flow: Complete a test order from cart to confirmation
- Customer login/registration: Verify authentication works
- Admin panel: Log in and verify basic admin operations
- Payment processing: Test payment gateway integration
- API endpoints: If using REST or GraphQL, verify key queries/mutations still work
Testing Workflow
Never apply patches directly to production. Follow a staging workflow:
- Development environment: Apply the patch, run automated tests
- Staging environment: Deploy the patched version, perform manual QA testing
- Production: Deploy after staging validation
Use maintenance mode during production deployment:
php bin/magento maintenance:enable
# Apply patch and run deployment commands
php bin/magento maintenance:disable
See also: Magento 2 Maintenance Mode