CVE-2025-50902
Published: 20 August 2025
Summary
CVE-2025-50902 is a high-severity CSRF (CWE-352) vulnerability in Old-Peanut Open-Shop. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-50902 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, in the old-peanut Open-Shop application (also known as old-peanut/wechat_applet__open_source) through version 1.0.0. The issue enables attackers to gain sensitive information by sending crafted HTTP POST messages. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and was published on 2025-08-20T20:15:32.060.
Unauthenticated attackers with network access can exploit this vulnerability by luring victims into performing actions via a malicious site, such as clicking a link or submitting a form that triggers the forged POST request to the affected application. Exploitation requires user interaction but no privileges, with low attack complexity. Successful attacks can result in high confidentiality, integrity, and availability impacts, including unauthorized access to sensitive data.
Mitigation details are available in the advisory at https://gitee.com/old-peanut/wechat_applet__open_source/issues/IC95QM.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-25428
Vulnerability details
Cross Site Request Forgery (CSRF) vulnerability in old-peanut Open-Shop (aka old-peanut/wechat_applet__open_source) thru 1.0.0 allows attackers to gain sensitive information via crafted HTTP Post message.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Incorrect access control bypass via crafted path (/api;/..//sys/*) in public-facing web application APIs allows remote attackers to access protected endpoints without authentication, resulting in sensitive information disclosure. Maps to exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-23 mandates protections for communications session authenticity, such as anti-CSRF tokens, directly preventing attackers from forging POST requests to gain sensitive information.
SI-10 requires validation of information inputs, including CSRF tokens in crafted HTTP POST messages, to ensure requests originate from legitimate user interactions.
SC-7 enables boundary protection mechanisms like web application firewalls to inspect and block anomalous cross-site POST requests indicative of CSRF exploitation.