Cyber Resilience

CVE-2025-50902

HighPublic PoC

Published: 20 August 2025

Published
20 August 2025
Modified
09 October 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0019 40.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-50902 is a high-severity CSRF (CWE-352) vulnerability in Old-Peanut Open-Shop. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-50902 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, in the old-peanut Open-Shop application (also known as old-peanut/wechat_applet__open_source) through version 1.0.0. The issue enables attackers to gain sensitive information by sending crafted HTTP POST messages. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and was published on 2025-08-20T20:15:32.060.

Unauthenticated attackers with network access can exploit this vulnerability by luring victims into performing actions via a malicious site, such as clicking a link or submitting a form that triggers the forged POST request to the affected application. Exploitation requires user interaction but no privileges, with low attack complexity. Successful attacks can result in high confidentiality, integrity, and availability impacts, including unauthorized access to sensitive data.

Mitigation details are available in the advisory at https://gitee.com/old-peanut/wechat_applet__open_source/issues/IC95QM.

EU & UK References

Vulnerability details

Cross Site Request Forgery (CSRF) vulnerability in old-peanut Open-Shop (aka old-peanut/wechat_applet__open_source) thru 1.0.0 allows attackers to gain sensitive information via crafted HTTP Post message.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Incorrect access control bypass via crafted path (/api;/..//sys/*) in public-facing web application APIs allows remote attackers to access protected endpoints without authentication, resulting in sensitive information disclosure. Maps to exploitation of public-facing applications.

CVEs Like This One

CVE-2024-37102Shared CWE-352
CVE-2024-37450Shared CWE-352
CVE-2025-23558Shared CWE-352
CVE-2025-68722Shared CWE-352
CVE-2025-31440Shared CWE-352
CVE-2025-23848Shared CWE-352
CVE-2025-22571Shared CWE-352
CVE-2024-53684Shared CWE-352
CVE-2025-23455Shared CWE-352
CVE-2025-22582Shared CWE-352

Affected Assets

old-peanut
open-shop
≤ 1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 mandates protections for communications session authenticity, such as anti-CSRF tokens, directly preventing attackers from forging POST requests to gain sensitive information.

prevent

SI-10 requires validation of information inputs, including CSRF tokens in crafted HTTP POST messages, to ensure requests originate from legitimate user interactions.

preventdetect

SC-7 enables boundary protection mechanisms like web application firewalls to inspect and block anomalous cross-site POST requests indicative of CSRF exploitation.

References