Adobe Commerce | Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
Description
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could result in a security feature bypass. An attacker could exploit this vulnerability by manipulating the timing between the check of a resource's state and its use, allowing unauthorized write access. Exploitation of this issue does not require user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce is vulnerable to a TOCTOU race condition that allows an attacker with authenticated write access to bypass security checks.
Vulnerability
Overview
A Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability exists in Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier [1]. This flaw occurs when the software checks a resource's state but then uses that resource after a timing window during which the state can be altered, leading to a security feature bypass [1].
Exploitation
Method
An attacker can exploit this race condition by manipulating the timing between a resource state check and its subsequent use, which does not require user interaction [1]. While the description does not specify authentication requirements, TOCTOU vulnerabilities in e-commerce platforms typically require authenticated access to trigger the condition. The GitHub repository for Magento Open Source provides the codebase where such race conditions can be analyzed [2].
Impact
Successful exploitation grants an attacker unauthorized write access to resources that should be protected by security features [1]. This could allow modification of sensitive data, bypass of access controls, or injection of malicious content within the application.
Mitigation
Adobe has released security updates addressing this vulnerability in the latest patch versions. Users should upgrade to the appropriate patched version (e.g., 2.4.9-beta1 or later) as specified in Adobe's security bulletin. No workarounds are documented.
- NVD - CVE-2025-49558
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/project-community-editionPackagist | <= 2.0.2 | — |
magento/community-editionPackagist | >= 2.4.9-alpha1, < 2.4.9-alpha2 | 2.4.9-alpha2 |
magento/community-editionPackagist | >= 2.4.8-beta1, < 2.4.8-p2 | 2.4.8-p2 |
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p7 | 2.4.7-p7 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p12 | 2.4.6-p12 |
magento/community-editionPackagist | < 2.4.5-p14 | 2.4.5-p14 |
Affected products
2- Range: <=2.4.9-alpha1
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-wcmw-8xpp-rwfjghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb25-71.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-49558ghsaADVISORY
News mentions
0No linked articles in our index yet.