CVE-2025-30151 — Improper Input Validation in Shopware

CWE-20 — Improper Input Validation3 documents3 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 36.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Shopware Shopware Core Shopware Platform

Timeline

PublishedApr 8

Description

Shopware is an open commerce platform. It's possible to pass long passwords that leads to Denial Of Service via forms in Storefront forms or Store-API. This vulnerability is fixed in 6.6.10.3 or 6.5.8.17. For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶Packagistshopware/platform6.6.0.0 — 6.6.10.3+2

▶Packagistshopware/core6.6.0.0 — 6.6.10.3+2

▶NVDshopware/shopware6.6.0.0 — 6.6.10.3+2

▶CVEListV5shopware/shopware>= 6.6.0.0, < 6.6.10.3, >= 6.7.0.0-rc1, < 6.7.0.0-rc2+1

🔴Vulnerability Details

OSV

Shopware allows Denial Of Service via password length↗2025-04-08

▶

GHSA

Shopware allows Denial Of Service via password length↗2025-04-08

▶