CVE-2025-12919 – This vulnerability in EverShop allows attackers... (How to Fix)

Q: What is the severity of CVE-2025-12919?

CVE-2025-12919 has a CVSS score of 3.7 (LOW). This vulnerability in EverShop allows attackers to manipulate order UUID parameters to access unauthorized order data. It affects EverShop installations up to version 2.0.1. The attack can be performed remotely but requires high complexity to exploit.

📋 TL;DR

This vulnerability in EverShop allows attackers to manipulate order UUID parameters to access unauthorized order data. It affects EverShop installations up to version 2.0.1. The attack can be performed remotely but requires high complexity to exploit.

💻 Affected Systems

Products:

EverShop

Versions: up to 2.0.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the Order Handler component via GraphQL resolvers

📦 What is this software?

Evershop by Evershop

View all CVEs affecting Evershop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized access to sensitive order information including customer data, payment details, and order history.

🟠

Likely Case

Information disclosure of order data that should be restricted to authorized users only.

🟢

If Mitigated

Minimal impact with proper access controls and input validation in place.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploit is public but requires specific knowledge of GraphQL and UUID manipulation

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider upgrading if vendor releases fix or implement workarounds.

🔧 Temporary Workarounds

Input Validation for UUID Parameters

all

Add strict validation for UUID parameters in Order resolvers to prevent unauthorized access

Modify /src/modules/oms/graphql/types/Order/Order.resolvers.js to validate UUID against authorized user permissions

Access Control Enhancement

all

Implement additional authorization checks before processing order requests

Add middleware or resolver-level checks to verify user has permission to access specific order UUIDs

🧯 If You Can't Patch

Implement WAF rules to detect and block suspicious UUID manipulation attempts
Monitor GraphQL queries for unusual order access patterns and implement rate limiting

🔍 How to Verify

Check if Vulnerable:

Check if EverShop version is 2.0.1 or earlier and review Order.resolvers.js for proper UUID validation

Check Version:

Check package.json or application configuration for EverShop version

Verify Fix Applied:

Test that unauthorized users cannot access order data by manipulating UUID parameters

📡 Detection & Monitoring

Log Indicators:

Unusual GraphQL queries targeting order endpoints with manipulated UUIDs
Multiple failed order access attempts

Network Indicators:

Suspicious patterns in GraphQL API requests to order endpoints

SIEM Query:

source="application_logs" AND (message CONTAINS "Order.resolvers" OR message CONTAINS "unauthorized order access")

📊 Metadata

CVE ID: CVE-2025-12919

CVSS v3 Score: 3.7 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-99

EPSS Score: 0.06% exploit probability (17.3th percentile)

Published: November 9, 2025

Last Updated: December 11, 2025

🔗 References

https://github.com/ictrun/Evershop-Order-leak/blob/main/README.md Exploit,Third Party Advisory
https://github.com/ictrun/Evershop-Order-leak/blob/main/README.md#attack-steps Exploit,Third Party Advisory
https://vuldb.com/?ctiid.331639 Permissions Required,VDB Entry
https://vuldb.com/?id.331639 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.680788 Third Party Advisory,VDB Entry
https://github.com/ictrun/Evershop-Order-leak/blob/main/README.md#attack-steps Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12919, you might also want to check these: