CVE-2025-11699 – nopCommerce versions 4.70 and prior, and specif... (How to Fix)

Q: What is the severity of CVE-2025-11699?

CVE-2025-11699 has a CVSS score of 7.1 (HIGH). nopCommerce versions 4.70 and prior, and specifically version 4.80.3, fail to properly invalidate session cookies after logout or session termination. This allows attackers with a valid session cookie to access privileged endpoints like /admin even after the legitimate user has logged out, enabling session hijacking. All nopCommerce installations using affected versions are vulnerable.

📋 TL;DR

nopCommerce versions 4.70 and prior, and specifically version 4.80.3, fail to properly invalidate session cookies after logout or session termination. This allows attackers with a valid session cookie to access privileged endpoints like /admin even after the legitimate user has logged out, enabling session hijacking. All nopCommerce installations using affected versions are vulnerable.

💻 Affected Systems

Products:

nopCommerce

Versions: All versions up to and including 4.70, and specifically version 4.80.3

Operating Systems: All platforms running nopCommerce

Default Config Vulnerable: ⚠️ Yes

Notes: Versions above 4.70 are safe except for the specific vulnerable version 4.80.3

📦 What is this software?

Nopcommerce by Nopcommerce

View all CVEs affecting Nopcommerce →

Nopcommerce by Nopcommerce

View all CVEs affecting Nopcommerce →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access to the nopCommerce instance, allowing them to modify products, steal customer data, change configurations, or deploy malicious code.

🟠

Likely Case

Session hijacking leading to unauthorized access to user accounts, potential data theft, and privilege escalation to administrative functions.

🟢

If Mitigated

Limited impact with proper network segmentation, strong authentication controls, and monitoring for anomalous session activity.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires obtaining a valid session cookie through other means (XSS, MITM, etc.), but once obtained, session hijacking is trivial.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Any version above 4.70 except 4.80.3, or specifically version 4.80.4 and above

Vendor Advisory: https://www.nopcommerce.com/en/release-notes?srsltid=AfmBOoravPKjN19pm_XZbXZ7GvPhkt8cxlK6794BJRZlY5RxJU_yNoTT

Restart Required: Yes

Instructions:

1. Backup your nopCommerce installation and database. 2. Download the latest nopCommerce version from the official website. 3. Replace the existing files with the updated version. 4. Restart the application/web server. 5. Verify the update by checking the version in the admin panel.

🔧 Temporary Workarounds

Implement Session Timeout

all

Configure application or web server to enforce session timeout after inactivity

For IIS: Set sessionState timeout in web.config to a lower value (e.g., 20 minutes)
For Apache/Nginx: Configure session timeout in server configuration

Force Cookie Regeneration

all

Modify application code to regenerate session cookies on login/logout

Implement custom session management that invalidates old cookies

🧯 If You Can't Patch

Implement network segmentation to restrict access to admin interfaces
Deploy web application firewall (WAF) with session hijacking protection rules

🔍 How to Verify

Check if Vulnerable:

Check nopCommerce version in admin panel at /admin or examine web.config/assembly version. If version is ≤4.70 or exactly 4.80.3, system is vulnerable.

Check Version:

Check Admin panel → Configuration → System Information, or examine the nopCommerce.dll file version

Verify Fix Applied:

After patching, verify version is above 4.70 and not 4.80.3. Test logout functionality to ensure session cookies are invalidated.

📡 Detection & Monitoring

Log Indicators:

Multiple successful admin logins from different IP addresses using same session ID
Admin access attempts with expired or old session cookies
Unusual session duration patterns

Network Indicators:

Repeated requests to /admin endpoints with same session cookie over extended periods
Session cookies being reused after logout events

SIEM Query:

source="web_logs" AND (uri_path="/admin" OR uri_path="/admin/*") AND session_id=* | stats count by session_id, src_ip | where count > threshold

📊 Metadata

CVE ID: CVE-2025-11699

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

CWE: CWE-613

EPSS Score: 0.04% exploit probability (10.2th percentile)

Published: December 1, 2025

Last Updated: December 19, 2025

🔗 References

https://github.com/nopSolutions/nopCommerce/issues/7044 Issue Tracking
https://seclists.org/fulldisclosure/2025/Aug/14 Mailing List,Third Party Advisory
https://www.nopcommerce.com/en/release-notes?srsltid=AfmBOoravPKjN19pm_XZbXZ7GvPhkt8cxlK6794BJRZlY5RxJU_yNoTT Release Notes
https://www.kb.cert.org/vuls/id/633103 Third Party Advisory,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11699, you might also want to check these: