CVE-2026-25758

Name of the Vulnerable Software and Affected Versions Spree versions prior to 4.10.3 Spree versions prior to 5.0.8 Spree versions prior to 5.1.10 Spree versions prior to 5.2.7 Spree versions prior to 5.3.2

Description An IDOR vulnerability exists in Spree Commerce's guest checkout flow. This allows a guest user to manipulate address ID parameters and bind arbitrary guest addresses to their order. This enables unauthorized access to other guests' personally identifiable information (PII), including names, addresses, and phone numbers. The issue bypasses existing ownership validation checks and affects all guest checkout transactions. The vulnerability stems from incomplete authorization validation in Spree’s checkout address assignment logic, specifically in how plain ID parameters (bill address id and ship address id) are handled without proper validation. The vulnerable assignment logic resides in the bill address id= and ship address id= setters within the spree/order/address book.rb model. These setters check if address.user id == order.user id, which evaluates to true for guest orders (nil == nil), effectively bypassing the intended security check. The permitted attributes in spree/permitted attributes.rb allow bill address id and ship address id without validation, and the checkout update process in spree/order/checkout.rb applies these parameters directly to the Order model.

Recommendations Update to Spree version 4.10.3 or later. Update to Spree version 5.0.8 or later. Update to Spree version 5.1.10 or later. Update to Spree version 5.2.7 or later. Update to Spree version 5.3.2 or later.