CISA issues update on nopCommerce session cookie invalidation vulnerability

nopCommerce, an ecommerce platform built on Attestation Service Provider (ASP).NET Core, contains a security flaw in its session management that allows attackers to reuse session cookies after a user has logged out or a session has ended. This issue permits unauthorized access to the application by exploiting session persistence.

The vulnerability, identified as CVE-2025-11699, affects nopCommerce versions 4.70 and earlier, as well as version 4.80.3 specifically. The platform relies on MS Structured Query Language (SQL) 2012 for backend operations and supports features such as store logins, shipping APIs integration, and Content Delivery Networks. The core problem lies in the platform's failure to invalidate session cookies on logout or session termination, enabling an attacker with a valid session cookie to access protected areas like the /admin endpoint even after the legitimate user has ended their session. Versions greater than 4.70, excluding 4.80.3, address this flaw.

The improper handling of session cookies may lead to unauthorized user access, potentially facilitating financial fraud or ransomware attacks due to session hijacking. Malicious actors have historically used stolen session data in various attack vectors, including resale on illicit forums and participation in cryptocurrency thefts.

To remediate this issue, users are advised to upgrade to the latest nopCommerce release, version 4.90.3. This update corrects the session invalidation failure for all versions affected, excluding 4.80.3, which also requires updating. Maintaining current software versions is necessary to prevent exploitation of this vulnerability.

Security guidance emphasizes applying vendor-provided updates promptly to mitigate exploitation risks associated with session management weaknesses. Users should review official release notes and upgrade paths to ensure compliance with recommended security practices.