CVE-2025-7954 — Race Condition in Shopware

CWE-362 — Race Condition4 documents3 sources

Severity

6.0MEDIUMNVD

OSV9.1

EPSS

0.1%

top 83.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Shopware Shopware Platform

Timeline

PublishedAug 6

Latest updateFeb 10

Description

A race condition vulnerability has been identified in Shopware's voucher system of Shopware v6.6.10.4 that allows attackers to bypass intended voucher restrictions and exceed usage limitations.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

▶NVDshopware/shopware6.6.0.0 — 6.7.2.0

▶Packagistshopware/platform6.6.10.4

▶CVEListV5shopware/shopware6.6.x, 6.7.x+1

🔴Vulnerability Details

OSV

libtasn1-6 vulnerabilities↗2026-02-10

▶

GHSA

Shopware race condition bypasses voucher restrictions↗2025-08-06

▶

OSV

Shopware race condition bypasses voucher restrictions↗2025-08-06

▶