CVE-2025-22387
📋 TL;DR
This vulnerability in Optimizely Configured Commerce exposes session tokens in URL parameters, allowing attackers to hijack authenticated user sessions. It affects all Optimizely Configured Commerce installations before version 5.2.2408. Attackers can steal session tokens from browser history, logs, or referrer headers to impersonate legitimate users.
💻 Affected Systems
- Optimizely Configured Commerce
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover leading to unauthorized access to sensitive customer data, financial transactions, and administrative functions.
Likely Case
Session hijacking resulting in unauthorized access to user accounts, potential data exposure, and privilege escalation.
If Mitigated
Limited impact with proper network segmentation, monitoring, and access controls preventing token interception.
🎯 Exploit Status
Requires interception of URL parameters containing session tokens through logs, browser history, or network monitoring.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.2.2408 or later
Vendor Advisory: https://support.optimizely.com/hc/en-us/articles/32695551034893-Configured-Commerce-Security-Advisory-COM-2024-06
Restart Required: No
Instructions:
1. Upgrade Optimizely Configured Commerce to version 5.2.2408 or later. 2. Verify session tokens are no longer transmitted as URL parameters. 3. Test application functionality post-upgrade.
🔧 Temporary Workarounds
Implement URL parameter filtering
allConfigure web application firewall or reverse proxy to strip or block session tokens from URL parameters
Enforce HTTPS-only connections
allEnsure all traffic uses HTTPS to reduce risk of token interception in transit
🧯 If You Can't Patch
- Implement strict network segmentation to limit exposure of vulnerable systems
- Deploy enhanced monitoring for suspicious session activity and token reuse
🔍 How to Verify
Check if Vulnerable:
Inspect application requests for session tokens appearing in URL parameters during resource requestsCheck Version:
Check Optimizely Configured Commerce version in admin panel or configuration filesVerify Fix Applied:
Confirm session tokens are transmitted only via secure headers or cookies, not in URLs📡 Detection & Monitoring
Log Indicators:
- URL parameters containing session-like tokens in access logs
- Multiple sessions from same token
Network Indicators:
- Session tokens visible in HTTP GET requests
- Unusual session creation patterns
SIEM Query:
source="web_logs" AND (url="*session*" OR url="*token*") AND method="GET"