CVE-2025-22387

Name of the Vulnerable Software and Affected Versions Optimizely Configured Commerce versions prior to 5.2.2408

Description A medium-severity issue exists in requests for resources where the session token is submitted as a URL parameter. This exposes information about the authenticated session, which can be leveraged for session hijacking. The issue is related to the submission of the session token as a session token parameter in URL requests, potentially exposing authenticated session information.

Recommendations For versions prior to 5.2.2408, update to version 5.2.2408 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive resources or disabling the submission of session tokens as URL parameters until a patch is applied. Avoid using the session token parameter in URL requests for resources until the issue is resolved.