CVE-2025-22386

CVE-2025-22386 is a session management vulnerability discovered in Optimizely Configured Commerce versions prior to 5.2.2408, specifically impacting the Commerce B2B application's storefront. The issue involves insufficient session expiration (CWE-613), where session tokens tied to logged-out sessions remain active and usable beyond their intended lifespan. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N), indicating medium-high severity due to network accessibility and potential for significant data exposure or manipulation.

The vulnerability can be exploited by an attacker with low privileges (PR:L) over the network (AV:N) with low attack complexity (AC:L), though it requires user interaction (UI:R). By obtaining a session token from a logged-out session—potentially through prior access or interception—the attacker can reuse it to impersonate the user, achieving high impacts on confidentiality (C:H) and integrity (I:H) without affecting availability (A:N). This enables unauthorized access to or modification of sensitive storefront data.

Optimizely has published security advisory COM-2024-04 at https://support.optimizely.com/hc/en-us/articles/32695284701069-Configured-Commerce-Security-Advisory-COM-2024-04, which details the vulnerability and mitigation steps. Practitioners should upgrade to Optimizely Configured Commerce 5.2.2408 or later to address the session longevity issue.