What is the severity of CVE-2025-24406?

CVE-2025-24406 is classified as a critical vulnerability due to its potential for a security feature bypass through path traversal.

How do I fix CVE-2025-24406?

To fix CVE-2025-24406, upgrade to Adobe Commerce versions 2.4.7 or later that have addressed this vulnerability.

What types of systems are affected by CVE-2025-24406?

CVE-2025-24406 affects Adobe Commerce versions up to 2.4.7-beta1 and includes earlier versions such as 2.4.6-p8 and 2.4.5-p10.

What can an attacker achieve by exploiting CVE-2025-24406?

By exploiting CVE-2025-24406, an attacker could bypass security features intended to protect restricted directories.

Is there a workaround for CVE-2025-24406 if I cannot upgrade?

Currently, there are no recommended workarounds for CVE-2025-24406; therefore, upgrading the software is strongly advised.

Vulnerability/
CVE-2025-24406

high

7.5

CWE

EPSS

0.044%

11/2/2025

17/4/2025

CVE-2025-24406: Adobe Commerce | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

First published: Tue Feb 11 2025(Updated: )

Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to a security feature bypass. An unauthenticated attacker could exploit this vulnerability to modify files that are stored outside the restricted directory. Exploitation of this issue does not require user interaction.

Credit: psirt@adobe.com

Affected Software	Affected Version	How to fix
Adobe Magento Commerce	<2.4.7
Adobe Magento Commerce	<2.4.8
composer/magento/project-community-edition	<=2.0.2
composer/magento/community-edition	=2.4.8-beta1
composer/magento/community-edition	=2.4.4
composer/magento/community-edition	=2.4.5
composer/magento/community-edition	=2.4.6
composer/magento/community-edition	=2.4.7
composer/magento/community-edition	<2.4.4-p12	2.4.4-p12
composer/magento/community-edition	>=2.4.5-p1<2.4.5-p11	2.4.5-p11
composer/magento/community-edition	>=2.4.6-p1<2.4.6-p9	2.4.6-p9
composer/magento/community-edition	>=2.4.7-beta1<2.4.7-p4	2.4.7-p4
Adobe Magento Commerce	<2.4.4
Adobe Magento Commerce	=2.4.4
Adobe Magento Commerce	=2.4.4-p1
Adobe Magento Commerce	=2.4.4-p10
Adobe Magento Commerce	=2.4.4-p11
Adobe Magento Commerce	=2.4.4-p2
Adobe Magento Commerce	=2.4.4-p3
Adobe Magento Commerce	=2.4.4-p4
Adobe Magento Commerce	=2.4.4-p5
Adobe Magento Commerce	=2.4.4-p6
Adobe Magento Commerce	=2.4.4-p7
Adobe Magento Commerce	=2.4.4-p8
Adobe Magento Commerce	=2.4.4-p9
Adobe Magento Commerce	=2.4.5
Adobe Magento Commerce	=2.4.5-p1
Adobe Magento Commerce	=2.4.5-p10
Adobe Magento Commerce	=2.4.5-p2
Adobe Magento Commerce	=2.4.5-p3
Adobe Magento Commerce	=2.4.5-p4
Adobe Magento Commerce	=2.4.5-p5
Adobe Magento Commerce	=2.4.5-p6
Adobe Magento Commerce	=2.4.5-p7
Adobe Magento Commerce	=2.4.5-p8
Adobe Magento Commerce	=2.4.5-p9
Adobe Magento Commerce	=2.4.6
Adobe Magento Commerce	=2.4.6-p1
Adobe Magento Commerce	=2.4.6-p2
Adobe Magento Commerce	=2.4.6-p3
Adobe Magento Commerce	=2.4.6-p4
Adobe Magento Commerce	=2.4.6-p5
Adobe Magento Commerce	=2.4.6-p6
Adobe Magento Commerce	=2.4.6-p7
Adobe Magento Commerce	=2.4.6-p8
Adobe Magento Commerce	=2.4.7
Adobe Magento Commerce	=2.4.7-p1
Adobe Magento Commerce	=2.4.7-p2
Adobe Magento Commerce	=2.4.7-p3
Adobe Magento Commerce	=2.4.8-beta1
Adobe Commerce	<1.3.3
Adobe Commerce	=1.3.3
Adobe Commerce	=1.3.3-p10
Adobe Commerce	=1.3.3-p11
Adobe Commerce	=1.3.4
Adobe Commerce	=1.3.4-p10
Adobe Commerce	=1.3.4-p9
Adobe Commerce	=1.3.5
Adobe Commerce	=1.3.5-p7
Adobe Commerce	=1.3.5-p8
Adobe Commerce	=1.4.2
Adobe Commerce	=1.4.2-p1
Adobe Commerce	=1.4.2-p2
Adobe Commerce	=1.4.2-p3
Adobe Commerce	=1.5.0
Magento	<2.4.4
Magento	=2.4.4
Magento	=2.4.4-p1
Magento	=2.4.4-p10
Magento	=2.4.4-p11
Magento	=2.4.4-p2
Magento	=2.4.4-p3
Magento	=2.4.4-p4
Magento	=2.4.4-p5
Magento	=2.4.4-p6
Magento	=2.4.4-p7
Magento	=2.4.4-p8
Magento	=2.4.4-p9
Magento	=2.4.5
Magento	=2.4.5-p1
Magento	=2.4.5-p10
Magento	=2.4.5-p2
Magento	=2.4.5-p3
Magento	=2.4.5-p4
Magento	=2.4.5-p5
Magento	=2.4.5-p6
Magento	=2.4.5-p7
Magento	=2.4.5-p8
Magento	=2.4.5-p9
Magento	=2.4.6
Magento	=2.4.6-p1
Magento	=2.4.6-p2
Magento	=2.4.6-p3
Magento	=2.4.6-p4
Magento	=2.4.6-p5
Magento	=2.4.6-p6
Magento	=2.4.6-p7
Magento	=2.4.6-p8
Magento	=2.4.7
Magento	=2.4.7-p1
Magento	=2.4.7-p2
Magento	=2.4.7-p3
Magento	=2.4.8-beta1
	<2.4.4
	=2.4.4
	=2.4.4-p1
	=2.4.4-p10
	=2.4.4-p11
	=2.4.4-p2
	=2.4.4-p3
	=2.4.4-p4
	=2.4.4-p5
	=2.4.4-p6
	=2.4.4-p7
	=2.4.4-p8
	=2.4.4-p9
	=2.4.5
	=2.4.5-p1
	=2.4.5-p10
	=2.4.5-p2
	=2.4.5-p3
	=2.4.5-p4
	=2.4.5-p5
	=2.4.5-p6
	=2.4.5-p7
	=2.4.5-p8
	=2.4.5-p9
	=2.4.6
	=2.4.6-p1
	=2.4.6-p2
	=2.4.6-p3
	=2.4.6-p4
	=2.4.6-p5
	=2.4.6-p6
	=2.4.6-p7
	=2.4.6-p8
	=2.4.7
	=2.4.7-p1
	=2.4.7-p2
	=2.4.7-p3
	=2.4.8-beta1
	<1.3.3
	=1.3.3
	=1.3.3-p10
	=1.3.3-p11
	=1.3.4
	=1.3.4-p10
	=1.3.4-p9
	=1.3.5
	=1.3.5-p7
	=1.3.5-p8
	=1.4.2
	=1.4.2-p1
	=1.4.2-p2
	=1.4.2-p3
	=1.5.0
	<2.4.4
	=2.4.4
	=2.4.4-p1
	=2.4.4-p10
	=2.4.4-p11
	=2.4.4-p2
	=2.4.4-p3
	=2.4.4-p4
	=2.4.4-p5
	=2.4.4-p6
	=2.4.4-p7
	=2.4.4-p8
	=2.4.4-p9
	=2.4.5
	=2.4.5-p1
	=2.4.5-p10
	=2.4.5-p2
	=2.4.5-p3
	=2.4.5-p4
	=2.4.5-p5
	=2.4.5-p6
	=2.4.5-p7
	=2.4.5-p8
	=2.4.5-p9
	=2.4.6
	=2.4.6-p1
	=2.4.6-p2
	=2.4.6-p3
	=2.4.6-p4
	=2.4.6-p5
	=2.4.6-p6
	=2.4.6-p7
	=2.4.6-p8
	=2.4.7
	=2.4.7-p1
	=2.4.7-p2
	=2.4.7-p3
	=2.4.8-beta1

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2025-24406?
CVE-2025-24406 is classified as a critical vulnerability due to its potential for a security feature bypass through path traversal.
How do I fix CVE-2025-24406?
To fix CVE-2025-24406, upgrade to Adobe Commerce versions 2.4.7 or later that have addressed this vulnerability.
What types of systems are affected by CVE-2025-24406?
CVE-2025-24406 affects Adobe Commerce versions up to 2.4.7-beta1 and includes earlier versions such as 2.4.6-p8 and 2.4.5-p10.
What can an attacker achieve by exploiting CVE-2025-24406?
By exploiting CVE-2025-24406, an attacker could bypass security features intended to protect restricted directories.
Is there a workaround for CVE-2025-24406 if I cannot upgrade?
Currently, there are no recommended workarounds for CVE-2025-24406; therefore, upgrading the software is strongly advised.

agent/weakness
agent/title
agent/type
agent/first-publish-date
agent/author
agent/source
agent/references
agent/guess-ai
agent/software-canonical-lookup
collector/epss-latest
source/FIRST
agent/epss
agent/severity
agent/tags
agent/softwarecombine
collector/mitre-cve
source/MITRE
collector/github-advisory-latest
source/GitHub
alias/GHSA-954p-ff72-327w
alias/CVE-2025-24406
agent/last-modified-date
agent/description
agent/event
collector/github-advisory
collector/nvd-cve
source/NVD
agent/software-canonical-lookup-request
collector/nvd-api
vendor/adobe
canonical/adobe magento commerce
package-manager/composer
version/adobe magento commerce/2.4.4
version/adobe magento commerce/2.4.4-p1
version/adobe magento commerce/2.4.4-p10
version/adobe magento commerce/2.4.4-p11
version/adobe magento commerce/2.4.4-p2
version/adobe magento commerce/2.4.4-p3
version/adobe magento commerce/2.4.4-p4
version/adobe magento commerce/2.4.4-p5
version/adobe magento commerce/2.4.4-p6
version/adobe magento commerce/2.4.4-p7
version/adobe magento commerce/2.4.4-p8
version/adobe magento commerce/2.4.4-p9
version/adobe magento commerce/2.4.5
version/adobe magento commerce/2.4.5-p1
version/adobe magento commerce/2.4.5-p10
version/adobe magento commerce/2.4.5-p2
version/adobe magento commerce/2.4.5-p3
version/adobe magento commerce/2.4.5-p4
version/adobe magento commerce/2.4.5-p5
version/adobe magento commerce/2.4.5-p6
version/adobe magento commerce/2.4.5-p7
version/adobe magento commerce/2.4.5-p8
version/adobe magento commerce/2.4.5-p9
version/adobe magento commerce/2.4.6
version/adobe magento commerce/2.4.6-p1
version/adobe magento commerce/2.4.6-p2
version/adobe magento commerce/2.4.6-p3
version/adobe magento commerce/2.4.6-p4
version/adobe magento commerce/2.4.6-p5
version/adobe magento commerce/2.4.6-p6
version/adobe magento commerce/2.4.6-p7
version/adobe magento commerce/2.4.6-p8
version/adobe magento commerce/2.4.7
version/adobe magento commerce/2.4.7-p1
version/adobe magento commerce/2.4.7-p2
version/adobe magento commerce/2.4.7-p3
version/adobe magento commerce/2.4.8-beta1
canonical/adobe commerce
version/adobe commerce/1.3.3
version/adobe commerce/1.3.3-p10
version/adobe commerce/1.3.3-p11
version/adobe commerce/1.3.4
version/adobe commerce/1.3.4-p10
version/adobe commerce/1.3.4-p9
version/adobe commerce/1.3.5
version/adobe commerce/1.3.5-p7
version/adobe commerce/1.3.5-p8
version/adobe commerce/1.4.2
version/adobe commerce/1.4.2-p1
version/adobe commerce/1.4.2-p2
version/adobe commerce/1.4.2-p3
version/adobe commerce/1.5.0
canonical/magento
version/magento/2.4.4
version/magento/2.4.4-p1
version/magento/2.4.4-p10
version/magento/2.4.4-p11
version/magento/2.4.4-p2
version/magento/2.4.4-p3
version/magento/2.4.4-p4
version/magento/2.4.4-p5
version/magento/2.4.4-p6
version/magento/2.4.4-p7
version/magento/2.4.4-p8
version/magento/2.4.4-p9
version/magento/2.4.5
version/magento/2.4.5-p1
version/magento/2.4.5-p10
version/magento/2.4.5-p2
version/magento/2.4.5-p3
version/magento/2.4.5-p4
version/magento/2.4.5-p5
version/magento/2.4.5-p6
version/magento/2.4.5-p7
version/magento/2.4.5-p8
version/magento/2.4.5-p9
version/magento/2.4.6
version/magento/2.4.6-p1
version/magento/2.4.6-p2
version/magento/2.4.6-p3
version/magento/2.4.6-p4
version/magento/2.4.6-p5
version/magento/2.4.6-p6
version/magento/2.4.6-p7
version/magento/2.4.6-p8
version/magento/2.4.7
version/magento/2.4.7-p1
version/magento/2.4.7-p2
version/magento/2.4.7-p3
version/magento/2.4.8-beta1