CVE-2026-25597
📋 TL;DR
PrestaShop versions before 8.2.4 and 9.0.3 have a time-based user enumeration vulnerability in authentication that allows attackers to determine if customer accounts exist by analyzing response time differences. This affects all PrestaShop e-commerce sites running vulnerable versions. Attackers can use this information for targeted attacks.
💻 Affected Systems
- PrestaShop
📦 What is this software?
Prestashop by Prestashop
Prestashop by Prestashop
⚠️ Risk & Real-World Impact
Worst Case
Attackers identify valid customer accounts, enabling targeted credential stuffing, phishing campaigns, or account takeover attempts against specific users.
Likely Case
Attackers enumerate valid customer emails/usernames for spam lists, credential stuffing attacks, or reconnaissance for future attacks.
If Mitigated
With proper rate limiting and monitoring, impact is limited to potential privacy violation of account existence information.
🎯 Exploit Status
Time-based attacks require statistical analysis but tools exist to automate this. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.2.4 or 9.0.3
Vendor Advisory: https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-67v7-3g49-mxh2
Restart Required: No
Instructions:
1. Backup your PrestaShop installation and database. 2. Download PrestaShop 8.2.4 or 9.0.3 from official sources. 3. Follow upgrade instructions at https://devdocs.prestashop-project.org/8/development/upgrade/. 4. Test functionality after upgrade.
🔧 Temporary Workarounds
Implement Rate Limiting
allAdd rate limiting to authentication endpoints to prevent automated timing attacks
# Configure web server rate limiting (nginx example)
limit_req_zone $binary_remote_addr zone=auth:10m rate=10r/m;
location /authentication { limit_req zone=auth burst=5; }
Add Random Delay
allImplement uniform response times for all authentication attempts regardless of account existence
# PHP implementation in authentication logic
$delay = rand(100, 300); // milliseconds
usleep($delay * 1000);
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to detect and block timing attack patterns
- Enable CAPTCHA on authentication pages and monitor for unusual authentication attempt patterns
🔍 How to Verify
Check if Vulnerable:
Check PrestaShop version in admin panel or via /config/settings.inc.php fileCheck Version:
grep '_PS_VERSION_' config/settings.inc.php | head -1Verify Fix Applied:
Verify version is 8.2.4 or higher (for 8.x) or 9.0.3 or higher (for 9.x)📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts with varying response times
- Unusual patterns of authentication requests from single IPs
Network Indicators:
- High volume of authentication requests with consistent timing patterns
- Requests to authentication endpoints with varying usernames/emails
SIEM Query:
source="prestashop_logs" action="authentication" | stats count by src_ip, user | where count > 100