A critical flaw in the popular open-source eCommerce platform nopCommerce exposes users to session hijacking attacks.
Security researchers at CERT have issued Vulnerability Note VU#633103, detailing how the platform fails to invalidate session cookies after logout or session termination.
Tracked as CVE-2025-11699, this issue affects versions 4.70 and earlier, plus 4.80.3 specifically.
Attackers can replay stolen cookies to access admin endpoints, even after logout. The vulnerability surfaced publicly on December 1, 2025, via a Full Disclosure post and GitHub issue #7044 in the nopCommerce repository.
nopCommerce powers online stores for major brands like Microsoft, Volvo, and BMW.
Built on ASP.NET Core with MS SQL Server 2012 backend, it integrates shipping APIs, CDNs, and user login for cart persistence.
The core problem lies in session management: upon logout, the server does not clear or regenerate the session cookie (typically named .Nop.Customer).
This cookie, which authenticates requests, remains valid indefinitely if captured via cross-site scripting (XSS), network sniffing (e.g., unencrypted Wi-Fi), or local device compromise.
Technical Breakdown
In a typical ASP.NET Core session flow, logout should trigger the HttpContext.SignOutAsync() to revoke tokens and invalidate cookies via HttpOnly, Secure, and SameSite flags.
nopCommerce skips this for its custom session cookie, echoing a prior flaw CVE-2019-7215.
An attacker with a valid cookie say, from an XSS payload document. Cookie exfiltration or MITM via tools like Wireshark can inject it into their browser via developer tools or Burp Suite repeater.
Proof-of-concept exploits confirm access to privileged routes. For instance, after a legitimate logout, replaying the cookie to POST /admin/common/save notification bypasses auth checks, as the backend trusts the unaltered session ID tied to the MS SQL session store.
This persists across browser restarts if not browser-cleared, amplifying risks in shared or compromised environments. Underground markets already trade such session data for ransomware entry or crypto theft, per CERT analysis.
Impact and Mitigation
Impacts range from account takeover to full store compromise, enabling fraudulent orders, data exfiltration, or ransomware deployment.
ECommerce sites face heightened financial risks, especially when integrated payment gateways are used.
The fix rolled out in nopCommerce versions 4.70 and later (excluding 4.80.3).
Administrators on vulnerable releases must upgrade immediately to 4.90.3, which enforces proper cookie invalidation via enhanced SignOut logic.
Interim mitigations include enforcing HTTPS, HttpOnly flags, and short session timeouts.
nopSolutions acknowledged the report by Beatriz Fresno Naumova (beafn28), documented by CERT’s Christopher Cullen.
