CVE-2025-22387
Published: 04 January 2025
Summary
CVE-2025-22387 is a high-severity Use of GET Request Method With Sensitive Query Strings (CWE-598) vulnerability in Optimizely Configured Commerce. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked in the top 48.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-23 (Session Authenticity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-23 requires mechanisms to protect and authenticate session identifiers against interception and replay, directly preventing session hijacking from tokens exposed in URL parameters.
IA-5 mandates protection of authenticators including session tokens from unauthorized disclosure, addressing exposure via URL parameters, logs, and referers.
SC-8 enforces confidentiality and integrity of transmissions to prevent network-based interception of session tokens in URLs, though not fully mitigating log or referer exposure.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Session token exposure in URLs directly enables capture via logs/referers (T1539) and subsequent hijacking of web sessions (T1185) using stolen tokens as alternate auth material (T1550.004).
NVD Description
An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity issue exists in requests for resources where the session token is submitted as a URL parameter. This exposes information about the authenticated session, which can be leveraged for…
more
session hijacking.
Deeper analysisAI
CVE-2025-22387 is a vulnerability discovered in Optimizely Configured Commerce versions before 5.2.2408. The issue arises in requests for resources where the session token is submitted as a URL parameter, exposing information about the authenticated session. This exposure can be leveraged for session hijacking. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is linked to CWE-598.
The vulnerability can be exploited by any unauthenticated attacker with network access, requiring low complexity and no user interaction. By intercepting or accessing the session token embedded in URL parameters—potentially through server logs, proxy logs, or HTTP referer headers—an attacker can hijack an active authenticated session. This grants the attacker the same level of access as the victim, enabling unauthorized actions within the application and potential exposure of sensitive session-bound data.
Optimizely has published a security advisory, COM-2024-06, detailing the issue and mitigation at https://support.optimizely.com/hc/en-us/articles/32695551034893-Configured-Commerce-Security-Advisory-COM-2024-06. Vulnerable installations should upgrade to Optimizely Configured Commerce 5.2.2408 or later, where the issue is addressed.
Details
- CWE(s)