{"id":64814,"date":"2025-08-29T01:51:07","date_gmt":"2025-08-29T01:51:07","guid":{"rendered":""},"modified":"2025-09-10T18:12:37","modified_gmt":"2025-09-11T00:12:37","slug":"cve-2025-50902-cross-site-request-forgery-vulnerability-in-old-peanut-open-shop","status":"publish","type":"post","link":"https:\/\/www.ameeba.com\/blog\/cve-2025-50902-cross-site-request-forgery-vulnerability-in-old-peanut-open-shop\/","title":{"rendered":"<strong>CVE-2025-50902: Cross Site Request Forgery Vulnerability in old-peanut Open-Shop<\/strong>"},"content":{"rendered":"<p><strong>Overview<\/strong><\/p>\n<p>The CVE-2025-50902 vulnerability is a severe Cross-Site Request Forgery (CSRF) flaw found in the old-peanut Open-Shop, known also as old-peanut\/wechat_applet__open_source, up to version 1.0.0. CSRF vulnerabilities allow attackers to manipulate victims into performing actions they do not intend to do, potentially leading to data leakage or system compromise. This vulnerability is of particular concern to businesses and individuals using this software for their e-commerce activities, as it could lead to <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-53495-unauthorized-access-data-leakage-in-wikimedia-foundation-mediawiki-abusefilter-extension\/\"  data-wpil-monitor-id=\"72659\">unauthorized access and manipulation of sensitive data<\/a>.<\/p>\n<p><strong>Vulnerability Summary<\/strong><\/p>\n<p>CVE ID: CVE-2025-50902<br \/>\nSeverity: High (8.8 CVSS Score)<br \/>\nAttack Vector: Network<br \/>\nPrivileges Required: None<br \/>\nUser Interaction: Required<br \/>\nImpact: <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-27055-memory-corruption-leads-to-potential-system-compromise-during-image-encoding\/\"  data-wpil-monitor-id=\"74345\">Potential system compromise<\/a> or data leakage<\/p>\n<p><strong>Affected Products<\/strong><\/p><div id=\"ameeb-3145332293\" class=\"ameeb-content-2 ameeb-entity-placement\"><div style=\"border-left: 4px solid #555; padding-left: 20px; margin: 48px 0; font-family: Roboto, sans-serif; color: #ffffff; line-height: 1.6; max-width: 700px;\">\r\n  <h2 style=\"margin-top: 0; font-size: 20px; font-weight: 600; display: flex; align-items: center;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"display: inline-flex; align-items: center; margin-right: 8px;\">\r\n      <img decoding=\"async\" src=\"https:\/\/www.ameeba.com\/blog\/wp-content\/uploads\/2025\/10\/Best-App-icon-Ameeba.png\" alt=\"Ameeba Chat Icon\" style=\"width: 40px; height: 40px;\" \/>\r\n    <\/a>\r\n    A new way to communicate\r\n  <\/h2>\r\n\r\n  <p style=\"margin-bottom: 12px;\">\r\n    Ameeba Chat is built on encrypted identity, not personal profiles.\r\n  <\/p>\r\n\r\n  <p style=\"margin-bottom: 16px;\">\r\n    Message, call, share files, and coordinate with identities kept separate.\r\n  <\/p>\r\n\r\n  <ul style=\"list-style: none; padding-left: 0; margin-bottom: 20px;\">\r\n    <li>\u2022 Encrypted identity<\/li>\r\n    <li>\u2022 Ameeba Chat authenticates access<\/li>\r\n    <li>\u2022 Aliases and categories<\/li>\r\n    <li>\u2022 End-to-end encrypted chat, calls, and files<\/li>\r\n    <li>\u2022 Secure notes for sensitive information<\/li>\r\n  <\/ul>\r\n\r\n  <p style=\"font-style: italic; font-weight: 600; margin-bottom: 24px;\">\r\n    Private communication, rethought.\r\n  <\/p>\r\n\r\n  <div style=\"display: flex; flex-wrap: wrap; gap: 12px;\">\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\/download\" style=\"background-color: #ffffff; color: #000000; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Download Ameeba Chat<\/a>\r\n    <a href=\"https:\/\/www.ameeba.com\/chat\" style=\"border: 1px solid #ffffff; color: #ffffff; padding: 10px 20px; text-decoration: none; border-radius: 6px; font-weight: 500;\">Learn More<\/a>\r\n  <\/div>\r\n<\/div>\r\n<\/div>\n<p>Product | Affected Versions<\/p>\n<p>old-peanut Open-Shop (old-peanut\/wechat_applet__open_source) | Up to version 1.0.0<\/p>\n<p><strong>How the Exploit Works<\/strong><\/p>\n<p>The <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-21120-trusting-http-permission-methods-on-the-server-side-vulnerability-in-dell-avamar\/\"  data-wpil-monitor-id=\"81487\">vulnerability is exploited when an attacker crafts a specific HTTP<\/a> Post message and then tricks a victim into sending this request. The attacker can create a malicious website or email that, when interacted with by the user, sends the crafted HTTP <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-24000-authentication-bypass-vulnerability-in-wpexperts-post-smtp-plugin\/\"  data-wpil-monitor-id=\"78976\">Post request to the vulnerable<\/a> old-peanut Open-Shop. The server, failing to validate the origin of the request, executes it as if it were a legitimate user action. This flaw allows the attacker to gain <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-53499-critical-unauthorized-access-vulnerability-in-wikimedia-foundation-mediawiki-abusefilter-extension\/\"  data-wpil-monitor-id=\"72794\">unauthorized access<\/a> to sensitive information.<\/p>\n<p><strong>Conceptual Example Code<\/strong><\/p><div id=\"ameeb-3455593017\" class=\"ameeb-content ameeb-entity-placement\"><div class=\"poptin-embedded\" data-id=\"f6b387694f681\"><\/div>\r\n\r\n\r\n\r\n\r\n\r\n<\/div>\n<p>A conceptual exploit might look like this:<\/p>\n<pre><code class=\"\" data-line=\"\">POST \/vulnerable\/endpoint HTTP\/1.1\nHost: target.example.com\nContent-Type: application\/json\n{\n&quot;csrf_token&quot;: &quot;stolen_token&quot;,\n&quot;action&quot;: &quot;retrieve_user_data&quot;\n}<\/code><\/pre>\n<p>In this example, the <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2024-9408-server-side-request-forgery-attack-in-eclipse-glassfish\/\"  data-wpil-monitor-id=\"77207\">attacker crafts a malicious HTTP POST request<\/a> using a stolen CSRF token. The action set in the request body instructs the <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-49759-sql-injection-vulnerability-in-sql-server-potentially-enabling-privilege-escalation-and-data-leakage\/\"  data-wpil-monitor-id=\"79192\">server to retrieve user data<\/a>, which is then sent back to the attacker.<\/p>\n<p><strong>Mitigation<\/strong><\/p>\n<p><a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-44955-critical-vulnerability-in-ruckus-network-director-allows-jail-users-to-gain-root-access\/\"  data-wpil-monitor-id=\"76038\">Users can mitigate the risk of this vulnerability<\/a> by applying the vendor patch as soon as it is available. In the meantime, they can use a Web Application Firewall (WAF) or Intrusion Detection System (IDS) as a temporary mitigation measure. These systems can be configured to detect and block <a href=\"https:\/\/www.ameeba.com\/blog\/cve-2025-52797-critical-cross-site-request-forgery-csrf-vulnerability-in-josepsitjar-storymap\/\"  data-wpil-monitor-id=\"79338\">CSRF attacks by identifying and blocking suspicious HTTP requests<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Overview The CVE-2025-50902 vulnerability is a severe Cross-Site Request Forgery (CSRF) flaw found in the old-peanut Open-Shop, known also as old-peanut\/wechat_applet__open_source, up to version 1.0.0. CSRF vulnerabilities allow attackers to manipulate victims into performing actions they do not intend to do, potentially leading to data leakage or system compromise. This vulnerability is of particular concern [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"footnotes":""},"categories":[1],"tags":[],"vendor":[],"product":[],"attack_vector":[90],"asset_type":[],"severity":[],"exploit_status":[],"class_list":["post-64814","post","type-post","status-publish","format-standard","hentry","category-uncategorized","attack_vector-csrf"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/64814","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/comments?post=64814"}],"version-history":[{"count":9,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/64814\/revisions"}],"predecessor-version":[{"id":73939,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/posts\/64814\/revisions\/73939"}],"wp:attachment":[{"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/media?parent=64814"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/categories?post=64814"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/tags?post=64814"},{"taxonomy":"vendor","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/vendor?post=64814"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/product?post=64814"},{"taxonomy":"attack_vector","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/attack_vector?post=64814"},{"taxonomy":"asset_type","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/asset_type?post=64814"},{"taxonomy":"severity","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/severity?post=64814"},{"taxonomy":"exploit_status","embeddable":true,"href":"https:\/\/www.ameeba.com\/blog\/wp-json\/wp\/v2\/exploit_status?post=64814"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}