CVE-2025-22385 is a vulnerability identified in Optimizely Configured Commerce prior to version 5.2.2408, specifically affecting the B2B application component. The root cause is a missing authorization control related to the account creation process: newly created accounts do not require email confirmation. This absence of verification enables attackers to automate the mass creation of accounts without any user consent or interaction. The vulnerability is classified under CWE-862 (Missing Authorization), indicating that the system fails to properly restrict access or actions to authorized users. The vulnerability's CVSS v3.1 base score is 5.9, reflecting a medium severity level, with vector metrics indicating network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no impact on confidentiality or integrity (C:N/I:N), but high impact on availability (A:H). The primary impact is the potential exhaustion of database storage due to the mass creation of unauthorized accounts, which could degrade or disrupt service availability. Additionally, the creation of non-requested storefront accounts on behalf of visitors could lead to administrative overhead and potential abuse scenarios. No patches or known exploits are currently documented, but the vulnerability is publicly disclosed and should be addressed promptly.

The vulnerability allows attackers to create large numbers of unauthorized accounts without email confirmation, leading to potential database storage exhaustion and degraded service availability. This can cause denial-of-service conditions or increased operational costs due to resource consumption and account management overhead. While confidentiality and integrity are not directly impacted, the availability of the commerce platform could be significantly affected, disrupting business operations and customer experience. Organizations relying on Optimizely Configured Commerce for B2B storefronts may face service interruptions, increased support burden, and potential reputational damage if exploited. The lack of authentication and user interaction requirements lowers the barrier for exploitation, increasing the risk of automated abuse campaigns.

Organizations should upgrade Optimizely Configured Commerce to version 5.2.2408 or later, where this issue is resolved. Until patching is possible, implement rate limiting and CAPTCHA challenges on account creation endpoints to mitigate automated mass account creation. Monitor account creation logs for unusual spikes or patterns indicative of abuse. Employ web application firewalls (WAFs) with rules targeting suspicious account creation behaviors. Review and tighten account verification processes, potentially adding manual or secondary verification steps. Regularly audit database storage and account inventories to detect and remove unauthorized or suspicious accounts. Coordinate with Optimizely support for any available interim fixes or guidance. Educate operational teams to recognize symptoms of exploitation and respond promptly.