CVE-2026-25758
📋 TL;DR
A critical IDOR vulnerability in Spree Commerce allows guest users to manipulate address ID parameters during checkout, bypassing ownership validation. This enables unauthorized access to other guests' personally identifiable information including names, addresses, and phone numbers. All systems running vulnerable versions of Spree Commerce with guest checkout enabled are affected.
💻 Affected Systems
- Spree Commerce
📦 What is this software?
Spree by Spreecommerce
Spree by Spreecommerce
Spree by Spreecommerce
Spree by Spreecommerce
Spree by Spreecommerce
⚠️ Risk & Real-World Impact
Worst Case
Mass exfiltration of guest PII data leading to identity theft, targeted phishing campaigns, and regulatory compliance violations.
Likely Case
Unauthorized access to individual guest PII records, potentially leading to privacy violations and targeted attacks against affected individuals.
If Mitigated
Limited impact with proper input validation and access controls preventing unauthorized address binding.
🎯 Exploit Status
Exploitation requires guest checkout access but no authentication; simple parameter manipulation needed
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.10.3, 5.0.8, 5.1.10, 5.2.7, or 5.3.2
Vendor Advisory: https://github.com/spree/spree/commit/15619618e43b367617ec8d2d4aafc5e54fa7b734
Restart Required: Yes
Instructions:
1. Identify current Spree version. 2. Upgrade to appropriate patched version (4.10.3, 5.0.8, 5.1.10, 5.2.7, or 5.3.2). 3. Restart application server. 4. Verify fix implementation.
🔧 Temporary Workarounds
Disable Guest Checkout
allTemporarily disable guest checkout functionality to prevent exploitation
# Configure Spree to require user accounts for checkout
Implement Additional Input Validation
allAdd server-side validation to ensure address IDs belong to current user
# Add custom validation in address binding logic
🧯 If You Can't Patch
- Implement WAF rules to block suspicious address ID parameter manipulation
- Enable detailed logging of all address binding attempts and monitor for anomalies
🔍 How to Verify
Check if Vulnerable:
Test if guest checkout allows binding addresses not owned by current user by manipulating address_id parameterCheck Version:
bundle show spree_coreVerify Fix Applied:
Verify that address binding now properly validates ownership and rejects unauthorized address IDs📡 Detection & Monitoring
Log Indicators:
- Multiple failed address binding attempts
- Address ID parameter values outside expected range
- Guest users accessing multiple different address records
Network Indicators:
- Unusual patterns in checkout API calls
- Multiple address ID values in single session
SIEM Query:
source="spree_logs" AND (message="address binding" OR message="checkout") AND (address_id!="current_user_address")🔗 References
- https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/address_book.rb#L16-L38
- https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/checkout.rb#L241-L254
- https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/services/spree/checkout/update.rb#L33-L48
- https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/lib/spree/permitted_attributes.rb#L92-L96
- https://github.com/spree/spree/commit/15619618e43b367617ec8d2d4aafc5e54fa7b734
- https://github.com/spree/spree/commit/29282d1565ba4f7bc2bbc47d550e2c0c6d0ae59f
- https://github.com/spree/spree/commit/6650f96356faa0d16c05bcb516f1ffd5641741b8
- https://github.com/spree/spree/commit/902d301ac83fd2047db1b9a3a99545162860f748
- https://github.com/spree/spree/commit/ff7cfcfcfe0c40c60d03317e1d0ee361c6a6b054
- https://github.com/spree/spree/security/advisories/GHSA-87fh-rc96-6fr6
