CVE-2025-22387

CVE-2025-22387 is a vulnerability discovered in Optimizely Configured Commerce versions before 5.2.2408. The issue arises in requests for resources where the session token is submitted as a URL parameter, exposing information about the authenticated session. This exposure can be leveraged for session hijacking. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is linked to CWE-598.

The vulnerability can be exploited by any unauthenticated attacker with network access, requiring low complexity and no user interaction. By intercepting or accessing the session token embedded in URL parameters—potentially through server logs, proxy logs, or HTTP referer headers—an attacker can hijack an active authenticated session. This grants the attacker the same level of access as the victim, enabling unauthorized actions within the application and potential exposure of sensitive session-bound data.

Optimizely has published a security advisory, COM-2024-06, detailing the issue and mitigation at https://support.optimizely.com/hc/en-us/articles/32695551034893-Configured-Commerce-Security-Advisory-COM-2024-06. Vulnerable installations should upgrade to Optimizely Configured Commerce 5.2.2408 or later, where the issue is addressed.