CVE-2025-22386
📋 TL;DR
This vulnerability allows session tokens from logged-out users to remain active and usable in Optimizely Configured Commerce B2B storefronts. Attackers could potentially hijack sessions and perform unauthorized actions. Organizations using affected versions of Configured Commerce are at risk.
💻 Affected Systems
- Optimizely Configured Commerce
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers hijack administrative sessions, gaining full control over the commerce platform to modify products, steal customer data, or disrupt operations.
Likely Case
Attackers hijack user sessions to make unauthorized purchases, access sensitive order history, or modify account details.
If Mitigated
With proper session management controls, impact is limited to temporary unauthorized access that is quickly detected and revoked.
🎯 Exploit Status
Requires obtaining session tokens through other means (e.g., XSS, network sniffing) but exploitation is straightforward once tokens are acquired.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.2.2408 or later
Vendor Advisory: https://support.optimizely.com/hc/en-us/articles/32695284701069-Configured-Commerce-Security-Advisory-COM-2024-04
Restart Required: No
Instructions:
1. Upgrade Configured Commerce to version 5.2.2408 or later. 2. Apply the patch through your deployment pipeline. 3. Verify session management is functioning correctly post-upgrade.
🔧 Temporary Workarounds
Session Timeout Reduction
allReduce session timeout values to minimize window of opportunity for token reuse
Modify web.config or application settings to set lower session timeout values
Force Session Invalidation
allImplement custom logout handlers that explicitly invalidate server-side session data
Add session.abandon() or equivalent in logout routines
🧯 If You Can't Patch
- Implement additional session validation checks in application code
- Deploy WAF rules to detect and block suspicious session activity
🔍 How to Verify
Check if Vulnerable:
Check if Configured Commerce version is below 5.2.2408 in admin panel or deployment manifestCheck Version:
Check application version in admin interface or deployment configuration filesVerify Fix Applied:
Test logout functionality: after logout, attempt to reuse session token - it should be rejected📡 Detection & Monitoring
Log Indicators:
- Multiple successful requests with same session ID after logout events
- Session ID reuse from different IP addresses
Network Indicators:
- Unusual session token reuse patterns
- Requests with expired session tokens still being processed
SIEM Query:
session_id:* AND (event:logout OR status:401) AND later event:session_id:* AND status:200