Adobe Commerce | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Description
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to modify limited data. Exploitation of this issue does not require user interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Commerce is vulnerable to a path traversal flaw that allows an unauthenticated attacker to bypass security features and modify limited data.
Vulnerability
Overview
CVE-2025-49559 is an Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability affecting Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14, and earlier [1]. The root cause is insufficient validation of user-supplied path input, allowing an attacker to traverse directories outside the intended restricted area.
Attack
Vector and Requirements
An attacker can exploit this vulnerability remotely without requiring user interaction or authentication [1]. No special privileges are needed, and the attack can be launched over the network. The exploit does not require any prior access or credentials.
Impact
Successful exploitation results in a security feature bypass, enabling the attacker to modify limited data within the application [1]. The scope of modification is restricted, but it can still lead to unauthorized changes that may affect the integrity of the store or its configuration.
Mitigation
Adobe has not yet released a patch for this vulnerability as of the publication date [1]. Users should monitor Adobe’s security advisory for updates. The official Magento Open Source repository provides the source code for review and potential workaround development [2].
- NVD - CVE-2025-49559
- GitHub - magento/magento2: Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/project-community-editionPackagist | <= 2.0.2 | — |
magento/community-editionPackagist | >= 2.4.9-alpha1, < 2.4.9-alpha2 | 2.4.9-alpha2 |
magento/community-editionPackagist | >= 2.4.8-beta1, < 2.4.8-p2 | 2.4.8-p2 |
magento/community-editionPackagist | >= 2.4.7-beta1, < 2.4.7-p7 | 2.4.7-p7 |
magento/community-editionPackagist | >= 2.4.6-p1, < 2.4.6-p12 | 2.4.6-p12 |
magento/community-editionPackagist | < 2.4.5-p14 | 2.4.5-p14 |
Affected products
2- Range: <=2.4.9-alpha1, <=2.4.8-p1, <=2.4.7-p6, <=2.4.6-p11, <=2.4.5-p13, <=2.4.4-p14
- Adobe/Adobe Commercev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-h4f4-gv6h-x824ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb25-71.htmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-49559ghsaADVISORY
News mentions
0No linked articles in our index yet.