CVE-2025-49556
Magento has incorrect authorization issue that leads to arbitrary file system read
7.5
HIGH
CVSS 3.1
EPSS 0.27%
Description
Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction, and scope is unchanged.
How to fix CVE-2025-49556
To remediate CVE-2025-49556, upgrade the affected package to a fixed version below.
- —upgrade to 2.4.9-alpha2 or later
- —no fix listed
Is CVE-2025-49556 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 2.4.9-alpha1, < 2.4.9-alpha2
- from 0, <= 2.0.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |