CVE-2025-7954 – A race condition vulnerability in Shopware's vo... (How to Fix)

Q: What is the severity of CVE-2025-7954?

CVE-2025-7954 has a CVSS score of 8.1 (HIGH). A race condition vulnerability in Shopware's voucher system allows attackers to bypass voucher restrictions and exceed usage limits. This affects Shopware v6.6.10.4 installations, potentially allowing unauthorized discounts or free purchases. All Shopware stores using the vulnerable version are affected.

📋 TL;DR

A race condition vulnerability in Shopware's voucher system allows attackers to bypass voucher restrictions and exceed usage limits. This affects Shopware v6.6.10.4 installations, potentially allowing unauthorized discounts or free purchases. All Shopware stores using the vulnerable version are affected.

💻 Affected Systems

Products:

Shopware

Versions: v6.6.10.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with voucher functionality enabled.

📦 What is this software?

Shopware by Shopware

View all CVEs affecting Shopware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could apply unlimited discounts or make purchases for free, leading to significant financial loss for the merchant.

🟠

Likely Case

Attackers exploit voucher limitations to obtain unauthorized discounts on purchases.

🟢

If Mitigated

With proper rate limiting and transaction controls, impact is limited to occasional unauthorized discounts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires understanding of race conditions and voucher system interaction.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v6.6.10.5 or later

Vendor Advisory: https://github.com/shopware/shopware/issues/11245

Restart Required: No

Instructions:

1. Backup your Shopware installation. 2. Update to Shopware v6.6.10.5 or later via Composer or Shopware updater. 3. Clear cache and verify functionality.

🔧 Temporary Workarounds

Disable voucher functionality

all

Temporarily disable voucher system to prevent exploitation

Implement rate limiting

all

Add rate limiting to voucher redemption endpoints

🧯 If You Can't Patch

Implement strict rate limiting on voucher redemption endpoints
Monitor voucher usage logs for suspicious patterns

🔍 How to Verify

Check if Vulnerable:

Check Shopware version in admin panel or via composer show shopware/platform

Check Version:

composer show shopware/platform | grep version

Verify Fix Applied:

Verify version is v6.6.10.5 or later and test voucher functionality

📡 Detection & Monitoring

Log Indicators:

Multiple voucher redemption attempts from same IP/session in short timeframe
Voucher usage exceeding configured limits

Network Indicators:

Rapid API calls to voucher redemption endpoints

SIEM Query:

source="shopware_logs" AND (voucher_redemption_count > 5 WITHIN 1s)

📊 Metadata

CVE ID: CVE-2025-7954

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-362

EPSS Score: 0.05% exploit probability (14th percentile)

Published: August 6, 2025

Last Updated: November 3, 2025

🔗 References

https://github.com/shopware/shopware/issues/11245 Exploit,Issue Tracking,Vendor Advisory
http://seclists.org/fulldisclosure/2025/Aug/17
https://github.com/shopware/shopware/issues/11245 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-7954, you might also want to check these: