CVE-2025-10422
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-15

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in newbee-mall up to 613a662adf1da7623ec34459bc83e3c1b12d8ce7. This issue affects the function paySuccess of the file /paySuccess of the component Order Status Handler. The manipulation of the argument orderNo leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-15
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-09-15
EPSS Evaluated
2026-06-15
NVD
CVE-2025-10422
EUVD
EUVD-2025-29147
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
newbee-mall_project newbee-mall to 2023-10-09 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-10422 is an improper authorization vulnerability in the newbee-mall application, specifically in the paySuccess function of the Order Status Handler (/paySuccess endpoint). The vulnerability occurs because the system accepts an orderNo parameter from the client without verifying if the user is authorized to update that order. This allows an attacker to manipulate the orderNo argument to mark orders as paid without proper authorization, effectively bypassing security controls. The flaw is classified as an Insecure Direct Object Reference (IDOR) and relates to CWE-285 and CWE-266. [1, 2, 3]

Impact Analysis

This vulnerability can allow an attacker to mark any order as paid without actually making a payment, resulting in zero-cost purchases. It enables horizontal privilege escalation by letting a user modify payment status of other users' orders. This compromises the integrity of the transaction system, potentially causing financial loss and disruption of order processing. The exploit is remotely executable and publicly available, making it easier for attackers to abuse. [1, 2, 3]

Detection Guidance

Detection can be performed by monitoring for unauthorized or suspicious requests to the /paySuccess endpoint that include the orderNo parameter. Specifically, look for GET requests where the orderNo parameter is manipulated to reference orders not owned by the requesting user. Network or application logs can be searched for such patterns. For example, using command-line tools like curl to simulate requests or grep to search logs: 1) grep 'GET /paySuccess' /path/to/access.log | grep 'orderNo=' to find requests with orderNo parameter. 2) Use curl to test endpoint behavior: curl -G 'http://targetsite/paySuccess' --data-urlencode 'orderNo=some_order_id' --data-urlencode 'payType=some_pay_type'. 3) Analyze application logs for changes in order status without corresponding payment confirmation. Since the vulnerability involves improper authorization, any successful status update triggered by a user other than the order owner indicates exploitation. Continuous monitoring for such anomalies is recommended. [2]

Mitigation Strategies

Immediate mitigation steps include: 1) Restrict access to the /paySuccess endpoint to trusted sources only, such as payment provider callbacks, rather than allowing client-supplied requests to update order status. 2) Implement proper authorization checks to verify that the user requesting the payment status update owns the order referenced by orderNo. 3) Modify the application logic so that payment status updates occur only after validation from trusted third-party payment providers (e.g., WeChat Pay, Alipay) callbacks, not directly from client requests. 4) If possible, temporarily disable or restrict the /paySuccess endpoint until a secure fix is deployed. 5) Monitor logs for suspicious activity related to order status changes. 6) Consider replacing or updating the affected component as no fixed version is currently available due to the rolling release model. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10422. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart