Magento drops 2.4.9-alpha2 and critical security patches on the same day

By ZEST LOGIC TEAM

Magento drops 2.4.9-alpha2 and critical security patches on the same day

On August 12, 2025, Adobe made two significant announcements in the Magento ecosystem — one looking toward the future, the other protecting the present:

  1. Magento Open Source 2.4.9-alpha2 — a preview release that showcases new features, upgraded dependencies, and integration changes.

  2. Security Bulletin APSB25-71 — critical patches available for all supported Magento versions, fixing vulnerabilities that could lead to full site compromise.

Although they were announced together, these releases serve different purposes — and it’s important to understand which applies to you right now.

Magento Open Source 2.4.9-alpha2: Preview of What’s Next

The alpha stage is not for production use — Adobe clearly states it may be incomplete and contain defects — but it offers an early look at what’s coming in the stable 2.4.9 release.

Infrastructure & Framework Updates

  • OpenSearch 3.x support — Magento now runs smoothly with OpenSearch 3.x, bringing better performance, security patches from the search engine side, and longer-term support. Backward compatibility with OpenSearch 2.x remains.

  • Nginx 1.28 in dev/test — Development and testing environments now use the latest stable Nginx, ensuring compatibility before deployment to production.

  • Valkey 8.x support — A Redis-compatible, open-source key-value store now fully integrated with Magento CLI and cloud setups. This offers merchants an alternative as Redis approaches end-of-life.

WYSIWYG Editor Change

The long-used TinyMCE editor is being replaced with HugeRTE, an open-source alternative.
Why the change? TinyMCE 5 and 6 are end-of-support, TinyMCE 7 has licensing issues, and HugeRTE avoids known vulnerabilities while staying fully open-source. The change may affect custom modules, page builder extensions, or admin workflows that depend on TinyMCE APIs may need adjustments before upgrading.

JavaScript Library Updates

Magento’s frontend and admin UIs now bundle newer versions of key JS libraries:

  • jQuery Validate 1.21.0

  • jQuery UI 1.14.1

  • Less.js 4.2.2

  • Moment Timezone 0.5.43

  • Underscore.js 1.13.7

These upgrades improve validation, accessibility, CSS compilation, timezone handling, and overall browser compatibility — but could expose compatibility issues in older custom themes.

USPS RESTful API Migration

One of the most practical changes in alpha2 is the migration from USPS’s legacy Web Tools API to its RESTful API.

Why now? USPS will retire Web Tools on January 25, 2026. Waiting until then could mean a scramble to restore shipping functionality.

Highlights:

  • Dual API mode — choose between legacy and REST while testing.

  • OAuth 2.0 authentication — more secure than legacy credentials.

  • JSON over XML — faster, cleaner data exchange.

  • New admin fields for REST mode: URL endpoints, client credentials, account identifiers, and REST-specific shipping methods.

Recommendation: Merchants using USPS should enable and test REST in a staging environment well before the cutoff date.

Security Bulletin APSB25-71: Immediate Action Required

While the alpha’s new features may be exciting, the security bulletin is relevant to every merchant running a supported version — from Magento Open Source 2.4.4-p14 up to 2.4.9-alpha1.

Vulnerabilities Fixed

  • CVE-2025-49554Improper Input Validation → Application Denial-of-Service (Critical, no authentication required).

  • CVE-2025-49555Cross-Site Request Forgery (CSRF) → Privilege Escalation (Critical, requires admin login).

  • CVE-2025-49556Incorrect Authorization → Arbitrary File Read (Critical).

  • CVE-2025-49557Stored Cross-Site Scripting (XSS) → Privilege Escalation (Critical).

  • CVE-2025-49558Time-of-check Time-of-use (TOCTOU) Race Condition → Security feature bypass (Important).

  • CVE-2025-49559Path Traversal → Security feature bypass (Important).

Why this matters:
These vulnerabilities could allow attackers to:

  • Take down your site without logging in.

  • Escalate privileges from admin to full server control.

  • Read sensitive files from the server.

  • Execute malicious scripts in other admin sessions.

Adobe notes there are no known exploits in the wild, but history shows that public disclosure often leads to exploit attempts within weeks.

Which Release Applies to You?

  • Running production store:
    Apply the latest patch for your version line immediately — for example, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, or 2.4.4-p15. You do not need to install the alpha to get these security fixes.

  • Testing alpha releases:
    Review and test the new features in 2.4.9-alpha2, especially if you use USPS, Valkey, or custom admin/editor functionality.

  • Maintaining extensions/themes:
    Check compatibility against updated JS libraries, the HugeRTE editor, and the USPS REST API changes.

How to Prioritize

First priority: Patch security vulnerabilities on your live site.
Second priority: Begin testing your stack against alpha changes if you want a smooth upgrade path to the stable 2.4.9.

Reading next

Abstract digital artwork with interconnected glowing nodes and lines on a dark blue background, featuring orange nodes on the left and blue nodes on the right, symbolizing connection and data networks.

BigCommerce becomes Commerce.com

Aug 1, 2025
Maksym Dmytrenko
Common challenges when upgrading Magento 2 to 2.4.8+ (PHP 8.4)

Common challenges when upgrading Magento 2 to 2.4.8+ (PHP 8.4)

Aug 29, 2025
Maksym Dmytrenko
contact us

Don’t miss fresh ideas in our new case studies

Talk with us

If you have any questions or problems in your business that can be solved with technical solutions, just let us know. We'll do everything we can to help you.

By clicking on the button, you consent to the processing of personal data and agree to the site’s Privacy Policy.