Login Sign Up

CVE-2024-27917

7.5 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability in Shopware allows session fixation attacks where cached 404 pages inadvertently expose session cookies to subsequent users. Attackers can hijack user sessions when accessing cached error pages. Affects Shopware installations using default Symfony session handling without Redis.

💻 Affected Systems

Products:
  • Shopware
Versions: 6.5.8.0 through 6.5.8.6
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations using default Symfony session handler without Redis configuration. Redis sessions are not vulnerable.

📦 What is this software?

Shopware by Shopware

View all CVEs affecting Shopware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain unauthorized access to user accounts, perform administrative actions, steal sensitive data, or compromise the entire Shopware instance.

🟠

Likely Case

Session hijacking leading to unauthorized access to customer accounts, potential data theft, and fraudulent transactions.

🟢

If Mitigated

Limited to isolated session issues if proper session management and monitoring are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires accessing cached 404 pages to harvest session cookies. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.5.8.7

Vendor Advisory: https://github.com/shopware/shopware/security/advisories/GHSA-c2f9-4jmm-v45m

Restart Required: Yes

Instructions:

1. Backup your Shopware installation. 2. Update to Shopware 6.5.8.7 via composer: composer require shopware/core:6.5.8.7 shopware/administration:6.5.8.7 shopware/storefront:6.5.8.7. 3. Clear caches: bin/console cache:clear. 4. Restart PHP-FPM or web server.

🔧 Temporary Workarounds

Configure Redis Session Handler

all

Use Redis for session storage instead of default Symfony handler to bypass vulnerable code path.

Configure Redis session handler in .env: SESSION_REDIS_HOST=redis
Install Redis extension: pecl install redis
Update Shopware config to use redis sessions

🧯 If You Can't Patch

  • Disable 404 page caching in Shopware configuration
  • Implement strict session validation and monitoring

🔍 How to Verify

Check if Vulnerable:

Check Shopware version: php bin/console --version. If version is between 6.5.8.0 and 6.5.8.6 and not using Redis sessions, system is vulnerable.

Check Version:

php bin/console --version

Verify Fix Applied:

Confirm version is 6.5.8.7 or higher: php bin/console --version | grep 6.5.8.7

📡 Detection & Monitoring

Log Indicators:

  • Multiple session creations from same IP accessing 404 pages
  • Unusual session cookie patterns in access logs

Network Indicators:

  • Abnormal requests to non-existent URLs triggering 404 responses
  • Session cookie reuse across different user agents

SIEM Query:

source="shopware.log" AND "404" AND "session" AND "cookie"

📊 Metadata

CVE ID: CVE-2024-27917
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-524
Published: March 6, 2024
Last Updated: September 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-27917, you might also want to check these:

CVE-2025-64762 9.1

The AuthKit library for Next.js versions 2.11.0 and below fails to apply anti-caching headers to aut...

Same vulnerability type (CWE-524)
CVE-2025-69202 6.5

Axios Cache Interceptor versions before 1.11.1 incorrectly cache responses without considering Autho...

Same vulnerability type (CWE-524)
CVE-2026-25540 6.5

Mastodon servers with AUTHORIZED_FETCH enabled are vulnerable to web cache poisoning where ActivityP...

Same vulnerability type (CWE-524)