CVE-2025-22387 is a vulnerability classified under CWE-598, which concerns the use of HTTP GET request methods with sensitive query strings. Specifically, in Optimizely Configured Commerce versions prior to 5.2.2408, session tokens are transmitted as URL parameters in GET requests. This insecure design flaw leads to exposure of authenticated session tokens in URLs, which can be logged in browser history, web server logs, proxy logs, or intercepted by network sniffers. Because session tokens are critical for maintaining authenticated user sessions, their exposure allows attackers to hijack active sessions without needing credentials or user interaction. The vulnerability is remotely exploitable over the network without privileges or authentication, increasing its risk profile. The CVSS 3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) indicates high confidentiality impact with no impact on integrity or availability. No patches or exploits are currently documented, but the issue is publicly known since January 2025. The root cause is the insecure practice of embedding sensitive tokens in URLs rather than using secure HTTP headers or cookies. This vulnerability highlights the importance of secure session management and avoiding sensitive data in URLs.

The primary impact of this vulnerability is the compromise of confidentiality through session hijacking. Attackers who obtain the session token can impersonate legitimate users, potentially gaining unauthorized access to sensitive business data, customer information, or administrative functions within Optimizely Configured Commerce platforms. This can lead to data breaches, fraud, and loss of customer trust. Since the vulnerability does not affect integrity or availability directly, the main risk is unauthorized data access. The ease of exploitation (no authentication or user interaction required) and the wide network attack vector increase the likelihood of exploitation once discovered. Organizations relying on affected versions face increased risk of account takeover and subsequent downstream attacks. The exposure of session tokens in URLs also increases the risk from insider threats or compromised network infrastructure. Given Optimizely's use in e-commerce and digital experience management, the impact on business operations and reputation can be significant.

1. Upgrade Optimizely Configured Commerce to version 5.2.2408 or later where this vulnerability is addressed. 2. Immediately audit all web application code and configurations to ensure session tokens or other sensitive authentication data are never included in URL query parameters. 3. Implement secure session management practices by using HTTP-only, Secure, and SameSite cookies to store session tokens instead of URL parameters. 4. Review and sanitize web server and proxy logs to remove any stored session tokens that may have been logged. 5. Enforce HTTPS across all communications to prevent interception of tokens in transit. 6. Educate developers and security teams about the risks of sensitive data in URLs and promote secure coding standards. 7. Monitor network traffic and logs for unusual access patterns that may indicate session hijacking attempts. 8. Consider implementing additional session security controls such as IP binding, user-agent validation, and short session expiration times to reduce the window of exploitation. 9. Conduct penetration testing and vulnerability assessments focused on session management to detect similar issues proactively.