CVE-2025-22385
📋 TL;DR
Optimizely Configured Commerce versions before 5.2.2408 allow mass account creation without email confirmation for new accounts. This affects all B2B e-commerce deployments using vulnerable versions, enabling attackers to create unauthorized storefront accounts and potentially exhaust database resources.
💻 Affected Systems
- Optimizely Configured Commerce
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Database storage exhaustion leading to service disruption, combined with account takeover if automated password reset requests are sent to the created accounts.
Likely Case
Spam account creation consuming database resources and creating administrative overhead for account cleanup.
If Mitigated
Minimal impact with proper rate limiting and monitoring in place.
🎯 Exploit Status
Simple HTTP POST requests to account creation endpoint can exploit this vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.2.2408
Vendor Advisory: https://support.optimizely.com/hc/en-us/articles/32695419706637-Configured-Commerce-Security-Advisory-COM-2024-05
Restart Required: Yes
Instructions:
1. Backup your current installation. 2. Apply Optimizely Configured Commerce version 5.2.2408 or later. 3. Restart the application services. 4. Verify email confirmation is now required for new accounts.
🔧 Temporary Workarounds
Implement Rate Limiting
allConfigure web application firewall or load balancer to limit account creation requests per IP address.
Enable CAPTCHA
allAdd CAPTCHA verification to account registration forms to prevent automated account creation.
🧯 If You Can't Patch
- Implement strict rate limiting on account creation endpoints
- Monitor for unusual account creation patterns and implement automated cleanup
🔍 How to Verify
Check if Vulnerable:
Attempt to create a new account via the storefront registration form and check if email confirmation is required before the account becomes active.Check Version:
Check the Configured Commerce administration panel or application configuration files for version information.Verify Fix Applied:
After patching, verify that new accounts require email confirmation before becoming active and that the confirmation email is sent and validated.📡 Detection & Monitoring
Log Indicators:
- Unusual volume of account creation requests from single IP addresses
- Multiple account creations with similar usernames or email patterns
Network Indicators:
- High volume of POST requests to account registration endpoints
- Lack of email confirmation requests following account creation
SIEM Query:
source="web_server" AND (uri_path="/account/register" OR uri_path="/api/account/create") AND status=200 | stats count by src_ip | where count > 10