CVE-2025-50902 is a high-severity Cross Site Request Forgery (CSRF) vulnerability affecting the old-peanut Open-Shop software (also known as old-peanut/wechat_applet__open_source) up to version 1.0.0. CSRF vulnerabilities occur when an attacker tricks an authenticated user into submitting a forged HTTP request, which the vulnerable application processes as a legitimate action. In this case, the vulnerability allows attackers to craft malicious HTTP POST requests that can cause the application to disclose sensitive information. The CVSS 3.1 base score of 8.8 reflects the critical impact on confidentiality, integrity, and availability, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is unchanged (S:U), meaning the vulnerability affects resources within the same security scope. The vulnerability is categorized under CWE-352, which specifically relates to CSRF attacks. Although no patch links are currently available and no known exploits have been reported in the wild, the vulnerability poses a significant risk due to its ability to leak sensitive data and potentially manipulate application state. The lack of affected version details beyond 'n/a' suggests that the vulnerability may impact all versions up to 1.0.0 or that versioning information is incomplete. The vulnerability is present in an open-source e-commerce platform, which may be integrated into various business environments, including those in Europe.

For European organizations using old-peanut Open-Shop, this vulnerability could lead to unauthorized disclosure of sensitive customer or business data, undermining confidentiality. Attackers exploiting this flaw could also alter application data or disrupt service availability, impacting business operations and customer trust. Given the e-commerce context, this could result in financial losses, regulatory non-compliance (e.g., GDPR violations due to data breaches), and reputational damage. The requirement for user interaction means phishing or social engineering campaigns could be used to trick legitimate users into triggering the exploit. The broad network attack vector and absence of required privileges increase the risk of widespread exploitation if the software is deployed in European markets. Organizations relying on this software for online sales or customer engagement are particularly at risk, especially if they have not implemented additional CSRF protections or mitigations.

European organizations should immediately assess their use of old-peanut Open-Shop and identify any deployments of version 1.0.0 or earlier. Until an official patch is released, implement strict CSRF protections such as synchronizer tokens or double-submit cookies to validate the authenticity of POST requests. Employ Content Security Policy (CSP) headers and SameSite cookie attributes to reduce the risk of CSRF attacks. Conduct user awareness training to mitigate social engineering risks associated with user interaction requirements. Network-level controls like Web Application Firewalls (WAFs) can be configured to detect and block suspicious POST requests that do not originate from legitimate user sessions. Regularly monitor application logs for unusual POST request patterns. Organizations should also prepare to apply patches promptly once available and consider isolating or restricting access to vulnerable instances until remediation is complete.