CVE-2025-58442
📋 TL;DR
This vulnerability in Saleor e-commerce platform allows attackers to determine whether a specific email address exists in the system by analyzing error responses from the accountRegister mutation. This affects all Saleor deployments running versions 3.21.0 through 3.21.15, potentially enabling user enumeration attacks.
💻 Affected Systems
- Saleor
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could enumerate all registered users in the system, enabling targeted phishing, credential stuffing, or social engineering attacks against known users.
Likely Case
Attackers will use automated tools to check for existence of specific email addresses, potentially identifying active users for further attacks.
If Mitigated
With proper rate limiting and monitoring, impact is limited to occasional user enumeration attempts that can be detected and blocked.
🎯 Exploit Status
Exploitation requires sending specific GraphQL queries to the accountRegister endpoint and analyzing error responses.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.21.16
Vendor Advisory: https://github.com/saleor/saleor/security/advisories/GHSA-8w67-mfm5-fwx5
Restart Required: Yes
Instructions:
1. Update Saleor to version 3.21.16 or later. 2. Restart the Saleor service. 3. Verify the fix by testing the accountRegister mutation.
🔧 Temporary Workarounds
Rate Limiting
allImplement rate limiting on the accountRegister mutation to reduce enumeration effectiveness
Configure rate limiting in your API gateway or application firewall
🧯 If You Can't Patch
- Implement strict rate limiting on the accountRegister endpoint
- Monitor for unusual patterns of account registration attempts
🔍 How to Verify
Check if Vulnerable:
Test the accountRegister mutation with different email addresses and observe if error responses differ based on email existenceCheck Version:
Check Saleor version in admin panel or via APIVerify Fix Applied:
After patching, test that accountRegister returns consistent error responses regardless of email existence📡 Detection & Monitoring
Log Indicators:
- Multiple failed accountRegister attempts with different email addresses
- Unusual patterns of account registration errors
Network Indicators:
- High volume of GraphQL queries to accountRegister endpoint
- Patterns suggesting automated user enumeration
SIEM Query:
source="saleor" AND (mutation="accountRegister" OR endpoint="/graphql/") AND status="error" | stats count by email