CVE-2025-12919 identifies a vulnerability in EverShop, an e-commerce platform, affecting versions 2.0.0 and 2.0.1. The issue resides in the Order Handler component, specifically within the GraphQL resolver file Order.resolvers.js. The vulnerability stems from improper control of resource identifiers, where the 'uuid' argument can be manipulated by an attacker. This manipulation can lead to unauthorized access or modification of order resources, potentially compromising order confidentiality and integrity. The attack vector is remote network access, requiring no authentication or user interaction, but the exploit complexity is high, making exploitation challenging. The CVSS 4.0 score is 6.3 (medium), reflecting the balance between potential impact and difficulty of exploitation. The vendor has not issued a patch or responded to disclosure, and while a public exploit exists, there are no reports of active exploitation in the wild. The lack of patch and vendor engagement increases risk for organizations using affected versions. The vulnerability could allow attackers to access or alter order information, impacting customer data privacy and transactional integrity within affected e-commerce deployments.

The vulnerability can lead to unauthorized access or modification of order data within EverShop-based e-commerce platforms. This compromises confidentiality by exposing sensitive customer and order information and integrity by allowing unauthorized changes to orders. Availability impact is minimal as the vulnerability does not directly enable denial-of-service. The remote exploitability without authentication increases risk, especially in environments exposed to the internet. Organizations could face financial losses, reputational damage, and regulatory penalties if customer data is exposed or transactions are manipulated. The absence of vendor response and patches prolongs exposure, increasing the window for potential exploitation. Given the high complexity, widespread automated exploitation is less likely, but targeted attacks against high-value e-commerce sites remain a concern.

Organizations should immediately audit their EverShop installations to identify affected versions (2.0.0 and 2.0.1). In the absence of official patches, consider the following mitigations: 1) Implement strict input validation and sanitization on the 'uuid' parameter at the GraphQL API gateway or web application firewall (WAF) level to block malformed or suspicious requests. 2) Restrict external access to the Order Handler GraphQL endpoint by IP whitelisting or network segmentation to limit exposure. 3) Monitor logs for unusual access patterns or attempts to manipulate UUID parameters. 4) Employ runtime application self-protection (RASP) tools to detect and block exploitation attempts dynamically. 5) Engage with the EverShop community or vendors for updates or unofficial patches. 6) Plan for an upgrade or patch deployment once the vendor releases a fix. 7) Conduct regular security assessments and penetration testing focused on GraphQL endpoints to identify similar weaknesses.