# nopCommerce <= 4.70 and 4.80.3 – Insufficient Session Cookie Invalidation (CVE-2025-11699)

**Author:** Beatriz Fresno Naumova (beafn28)

**Date:** 01/12/2025

**Vendor:** nopSolutions

**Product:** nopCommerce (ASP.NET Core eCommerce Platform)

**Versions affected:**

* <= 4.70
* 4.80.3

**Component:** Authentication / Session Management

**CWE:** CWE-613 – Insufficient Session Expiration

**Attack type:** Remote

**Impact:** Session Hijacking / Privilege Escalation

### Description

nopCommerce is an open-source eCommerce platform built on ASP.NET Core and backed by Microsoft SQL Server.\
Versions up to 4.70 and version 4.80.3 fail to properly invalidate session cookies after user logout or session termination.

As a result, an attacker who obtains a valid session cookie can continue to access authenticated and privileged endpoints (such as `/admin`) even after the legitimate user has logged out. This behavior enables session hijacking attacks and mirrors previously observed vulnerabilities such as CVE-2019-7215.

Session cookies may be obtained through cross-site scripting (XSS), network interception, malware infection, or local compromise. Once captured, the cookie remains valid beyond logout, violating expected session lifecycle guarantees.

### Impact

**Primary impact:** Session hijacking leading to unauthorized access.

**Consequences:**

* Unauthorized access to administrative or user accounts
* Financial fraud and data manipulation
* Ransomware or cryptocurrency theft campaigns
* Sale of valid session cookies on underground forums

Session hijacking attacks have been widely abused in real-world incidents and remain a high-impact threat, particularly for eCommerce platforms.

### CVSS Details

* **Attack Vector (AV):** Network (N)
* **Attack Complexity (AC):** Low (L)
* **Privileges Required (PR):** None (N)
* **User Interaction (UI):** Required (R)
* **Scope (S):** Unchanged (U)
* **Confidentiality (C):** High (H)
* **Integrity (I):** High (H)
* **Availability (A):** None (N)

**CVSS v3.1 Vector:**\
`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N`

**CVSS v3.1 Base Score:** 7.1 (High)

> **Note:** An attacker must first obtain a valid session cookie (e.g., via XSS, network interception, or local compromise), but no additional privileges are required once the cookie is captured.

### Solution

* **Upgrade immediately:**\
  Update to **nopCommerce 4.90.3** or later.
* **Affected users:**
  * Any version **prior to 4.70**
  * Version **4.80.3**
* **Fixed versions:**
  * Versions **after 4.70**, excluding **4.80.3**

### Mitigation

* Invalidate and rotate session cookies on logout and session termination.
* Implement server-side session invalidation tied to logout events.
* Consider binding sessions to additional context (IP, User-Agent) where feasible.
* Monitor for anomalous reuse of session identifiers.
* Conduct periodic session management security reviews.

### Discoverer

Beatriz Fresno Naumova (beafn28)

### References

* **CVE:** <https://www.cve.org/CVERecord?id=CVE-2025-11699>
* **CERT/CC Vulnerability Note:** <https://www.kb.cert.org/vuls/id/633103>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://beafn28.gitbook.io/beafn28/cve-and-poc/nopcommerce-less-than-4.70-and-4.80.3-insufficient-session-cookie-invalidation-cve-2025-11699.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.