Login Sign Up

CVE-2025-22384

7.5 HIGH

📋 TL;DR

This vulnerability allows attackers to purchase discontinued products by manipulating requests before they reach the server. It affects Optimizely Configured Commerce B2B storefronts running versions before 5.2.2408. The issue stems from improper validation of business logic in the commerce application.

💻 Affected Systems

Products:
  • Optimizely Configured Commerce
Versions: All versions before 5.2.2408
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects B2B storefront configurations; requires discontinued products to be present in the catalog.

📦 What is this software?

Configured Commerce by Optimizely

View all CVEs affecting Configured Commerce →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could purchase discontinued inventory at potentially discounted prices, causing inventory management issues and financial loss.

🟠

Likely Case

Limited abuse of discontinued product purchases, potentially disrupting inventory accuracy and business operations.

🟢

If Mitigated

Minimal impact with proper input validation and business logic controls in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires manipulation of client-side requests before server processing; likely involves intercepting/modifying HTTP requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.2.2408 or later

Vendor Advisory: https://support.optimizely.com/hc/en-us/articles/32694560473741-Configured-Commerce-Security-Advisory-COM-2024-02

Restart Required: No

Instructions:

1. Upgrade Optimizely Configured Commerce to version 5.2.2408 or later. 2. Apply the update through your deployment pipeline. 3. Verify the fix by testing discontinued product purchase attempts.

🔧 Temporary Workarounds

Enhanced Input Validation

all

Implement server-side validation for all product purchase requests to ensure discontinued products cannot be ordered.

Business Logic Controls

all

Add additional checks in the order processing workflow to validate product status before completing transactions.

🧯 If You Can't Patch

  • Implement WAF rules to detect and block suspicious purchase request patterns
  • Monitor order logs for purchases of discontinued products and implement manual review processes

🔍 How to Verify

Check if Vulnerable:

Check if your Configured Commerce version is below 5.2.2408 in the admin panel or deployment configuration.

Check Version:

Check admin panel or deployment configuration for version number

Verify Fix Applied:

After patching, attempt to purchase a discontinued product through normal and manipulated requests to confirm the fix.

📡 Detection & Monitoring

Log Indicators:

  • Unusual purchase patterns for discontinued products
  • Multiple failed purchase attempts followed by successful ones

Network Indicators:

  • Modified HTTP requests to purchase endpoints
  • Unusual timing between request submission and processing

SIEM Query:

source="commerce_logs" AND (product_status="discontinued" AND action="purchase")

📊 Metadata

CVE ID: CVE-2025-22384
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-472
EPSS Score: 0.21% exploit probability (42.9th percentile)
Published: January 4, 2025
Last Updated: May 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-22384, you might also want to check these:

CVE-2021-1289 9.8

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code as roo...

Same vulnerability type (CWE-472)
CVE-2021-1291 9.8

This vulnerability allows unauthenticated remote attackers to execute arbitrary code as root on affe...

Same vulnerability type (CWE-472)
CVE-2021-1293 9.8

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code as roo...

Same vulnerability type (CWE-472)