CVE-2025-12919

09.11.2025, 20:15

A vulnerability was detected in EverShop up to 2.0.1. Affected is an unknown function of the file /src/modules/oms/graphql/types/Order/Order.resolvers.js of the component Order Handler. The manipulation of the argument uuid results in improper control of resource identifiers. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Resource Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	3.7 LOW	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
VulDB	CNA	3.7 LOW				CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 11%

Vendor	Product	Version
evershop	evershop	𝑥 ≤ 2.0.1

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

References

https://github.com/ictrun/Evershop-Order-leak/blob/main/README.md

https://github.com/ictrun/Evershop-Order-leak/blob/main/README.md#attack-steps

https://vuldb.com/?ctiid.331639

https://vuldb.com/?id.331639

https://vuldb.com/?submit.680788

https://github.com/ictrun/Evershop-Order-leak/blob/main/README.md#attack-steps