CVE-2025-50902 is a Cross Site Request Forgery (CSRF) vulnerability identified in the old-peanut Open-Shop software (also known as old-peanut/wechat_applet__open_source) up to version 1.0.0. CSRF vulnerabilities allow attackers to trick authenticated users into submitting malicious HTTP POST requests without their consent or knowledge. In this case, the vulnerability enables attackers to craft specific HTTP POST messages that can cause the victim's browser to send unauthorized requests to the vulnerable application, potentially leading to leakage of sensitive information. The vulnerability arises because the application does not properly verify the origin or authenticity of POST requests, allowing attackers to bypass normal access controls. Although no CVSS score has been assigned yet and no known exploits are reported in the wild, the vulnerability poses a risk to confidentiality by enabling unauthorized data access. The lack of patch links suggests that no official fix has been released at the time of publication. Given that the vulnerability affects an open-source e-commerce platform, it may impact organizations using this software for online sales or customer interactions, especially if user sessions are not protected against CSRF attacks. The technical details indicate the vulnerability was reserved in mid-2025 and published in August 2025, reflecting recent discovery.

For European organizations using old-peanut Open-Shop, this CSRF vulnerability could lead to unauthorized disclosure of sensitive customer or business information, potentially violating data protection regulations such as GDPR. Attackers exploiting this flaw could perform actions on behalf of authenticated users without their consent, undermining trust and possibly leading to financial or reputational damage. The impact is particularly significant for e-commerce businesses handling personal data and payment information. Since CSRF attacks rely on authenticated sessions, organizations with poor session management or lacking anti-CSRF tokens are at higher risk. The vulnerability could also facilitate further attacks if sensitive information is exposed, such as user credentials or internal business data. Given the absence of known exploits, the immediate risk may be moderate, but the potential for exploitation remains, especially if attackers develop automated tools targeting this flaw.

European organizations should immediately assess whether they use the old-peanut Open-Shop platform and identify affected versions. Until an official patch is available, implement strict anti-CSRF protections such as synchronizer tokens (CSRF tokens) in all forms and state-changing requests. Enforce SameSite cookie attributes to restrict cross-origin requests and validate the Origin and Referer headers on the server side to confirm legitimate request sources. Additionally, implement robust session management practices, including short session lifetimes and re-authentication for sensitive operations. Conduct security audits and penetration tests focusing on CSRF vulnerabilities. Educate users about the risks of clicking suspicious links while authenticated. Monitor web server logs for unusual POST requests that could indicate exploitation attempts. Finally, stay updated on vendor advisories for patches or updates addressing this vulnerability and apply them promptly once released.