CVE-2025-11699: Nopcommerce Auth Bypass Vulnerability

CVE-2025-11699 Overview

CVE-2025-11699 is a session management vulnerability affecting nopCommerce, an open-source e-commerce platform built on ASP.NET Core. The flaw exists in nopCommerce v4.70 and prior, as well as version 4.80.3, where the application fails to invalidate sessioncookies after logout or session termination. An attacker who obtains a valid session cookie retains access to privileged endpoints such as /admin even after the legitimate user has logged out. This weakness enables session hijacking against administrative accounts and customer sessions alike. The vulnerability is classified under CWE-613 (Insufficient Session Expiration).

Critical Impact
An attacker holding a captured session cookie can access administrative functionality at /admin after the legitimate user logs out, leading to full compromise of store data, orders, and configuration.

Affected Products

nopCommerce v4.70 and all prior versions
nopCommerce v4.80.3
Note: Versions above 4.70 that are not 4.80.3 contain the fix

Discovery Timeline

2025-12-01 - CVE-2025-11699 published to NVD
2025-12-19 - Last updated in NVD database

Technical Details for CVE-2025-11699

Vulnerability Analysis

The vulnerability resides in nopCommerce's session handling logic. When a user logs out or a session is terminated server-side, the application does not invalidate the associated session cookie. The cookie remains valid for authenticated requests until its natural expiration. An attacker who captured the cookie through network interception, cross-site scripting, malware on the client, or shared-device exposure can replay it to regain authenticated access. The attack succeeds against both customer-facing endpoints and the administrative interface at /admin, making impact disproportionate when administrator sessions are targeted.

Root Cause

The root cause is missing server-side invalidation of authentication tokens during the logout workflow. Logout actions clear client-side cookie state in the browser but do not revoke or blacklist the issued session identifier on the server. This violates the session lifecycle expectations described in CWE-613, where authenticated session tokens must be terminated when the user explicitly ends the session or when a timeout policy triggers.

Attack Vector

Exploitation requires the attacker to first obtain a valid session cookie. Common acquisition methods include man-in-the-middle interception on weak or misconfigured TLS, browser-stored cookie theft from infostealer malware, cross-site scripting flaws in customizations, or physical access to a previously authenticated browser. After the legitimate user logs out, the attacker submits requests carrying the captured cookie value. nopCommerce treats the request as authenticated and authorizes access to user-specific or administrative endpoints. The vulnerability mechanism is documented in the GitHub issue discussion and the full disclosure security post.

Detection Methods for CVE-2025-11699

Indicators of Compromise

Successful authenticated requests to /admin or account endpoints originating from IP addresses or user-agent strings that differ from the original login session.
Reuse of the same session cookie identifier across geographically distant source IPs within a short timeframe.
HTTP requests carrying valid session cookies received after a documented logout event for the same user account.

Detection Strategies

Correlate authentication logs against web server access logs to identify requests bearing session cookies that were issued before the most recent logout event.
Implement anomaly detection on session-cookie-to-IP-address bindings, flagging cookies that switch source networks mid-session.
Review administrative actions in nopCommerce audit logs for changes performed outside expected operator schedules or from unfamiliar client fingerprints.

Monitoring Recommendations

Forward nopCommerce application logs, IIS or Kestrel access logs, and load balancer logs to a centralized analytics platform for cross-correlation.
Alert on privilege-sensitive operations under /admin paths, including product changes, order modifications, and user role updates.
Track the lifetime of session identifiers and trigger investigation when a single cookie value persists beyond configured session timeouts.

How to Mitigate CVE-2025-11699

Immediate Actions Required

Upgrade nopCommerce to a version above 4.70 that is not 4.80.3, as those builds contain the session invalidation fix per the nopCommerce release notes.
Force password resets and invalidate all active sessions for administrative accounts after upgrading.
Review administrator and customer account activity for unauthorized changes performed during the exposure window.

Patch Information

The nopCommerce maintainers addressed the issue in fixed releases above 4.70, excluding 4.80.3. Administrators should consult the nopCommerce release notes and the CERT Vulnerability Database Entry for vendor guidance and upgrade procedures.

Workarounds

Shorten session and authentication cookie lifetimes in the application configuration to reduce the window in which a captured cookie remains valid.
Enforce HTTPS site-wide with HSTS and set authentication cookies with Secure, HttpOnly, and SameSite=Strict attributes to limit cookie theft vectors.
Restrict access to the /admin path with IP allowlisting at the web server or reverse proxy layer until the upgrade is complete.
Instruct administrators to fully close their browser after logout to clear in-memory cookies on shared workstations.

bash

# Example: enforce stricter cookie attributes and shorter lifetimes in ASP.NET Core Startup
services.ConfigureApplicationCookie(options =>
{
    options.Cookie.HttpOnly = true;
    options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
    options.Cookie.SameSite = SameSiteMode.Strict;
    options.ExpireTimeSpan = TimeSpan.FromMinutes(20);
    options.SlidingExpiration = false;
});