Login Sign Up

CVE-2025-10422

4.3 MEDIUM
Authentication Bypass

📋 TL;DR

This vulnerability in newbee-mall's order status handler allows attackers to manipulate order numbers to bypass authorization checks. Remote attackers can potentially access or modify order information without proper permissions. All deployments using affected versions are vulnerable.

💻 Affected Systems

Products:
  • newbee-mall
Versions: Up to commit 613a662adf1da7623ec34459bc83e3c1b12d8ce7
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the /paySuccess endpoint in the order status handler component. Rolling release model means specific version numbers aren't provided.

📦 What is this software?

Newbee Mall by Newbee Mall Project

View all CVEs affecting Newbee Mall →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could view, modify, or delete order data for any user, potentially leading to data theft, order manipulation, or financial fraud.

🟠

Likely Case

Unauthorized viewing of order details and customer information, potentially exposing PII and order history.

🟢

If Mitigated

Limited impact with proper input validation and authorization checks in place, restricting access to legitimate users only.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploit disclosed publicly, requires manipulation of orderNo parameter. Remote exploitation possible but may require some authentication context.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit after 613a662adf1da7623ec34459bc83e3c1b12d8ce7

Vendor Advisory: https://github.com/newbee-ltd/newbee-mall/issues/100

Restart Required: No

Instructions:

1. Pull latest code from repository. 2. Verify commit is newer than 613a662adf1da7623ec34459bc83e3c1b12d8ce7. 3. Deploy updated code to production.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Add server-side validation for orderNo parameter to ensure it matches authenticated user's orders

WAF Rule Implementation

all

Block suspicious orderNo parameter patterns at web application firewall

🧯 If You Can't Patch

  • Implement strict authorization checks in application layer before processing orderNo parameter
  • Monitor /paySuccess endpoint for unusual access patterns and implement rate limiting

🔍 How to Verify

Check if Vulnerable:

Check if current commit hash is 613a662adf1da7623ec34459bc83e3c1b12d8ce7 or earlier using git log

Check Version:

git log --oneline -1

Verify Fix Applied:

Verify current commit is newer than 613a662adf1da7623ec34459bc83e3c1b12d8ce7 and test authorization on /paySuccess endpoint

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed authorization attempts on /paySuccess
  • OrderNo parameter values not matching user session

Network Indicators:

  • Unusual patterns of requests to /paySuccess endpoint
  • OrderNo parameter manipulation attempts

SIEM Query:

source="web_logs" AND uri="/paySuccess" AND (orderNo NOT IN authorized_orders)

📊 Metadata

CVE ID: CVE-2025-10422
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-266
EPSS Score: 0.03% exploit probability (8.3th percentile)
Published: September 15, 2025
Last Updated: October 14, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10422, you might also want to check these:

CVE-2026-23800 10.0

This vulnerability allows attackers to escalate privileges in Modular DS modular-connector WordPress...

Same vulnerability type (CWE-266)
CVE-2026-23550 10.0

This critical vulnerability in Modular DS allows attackers to escalate privileges due to incorrect p...

Same vulnerability type (CWE-266)
CVE-2025-41115 10.0

A critical vulnerability in Grafana's SCIM provisioning allows malicious SCIM clients to provision u...

Same vulnerability type (CWE-266)