Race Condition in Shopware Voucher Submission

Title

Race Condition in Shopware Voucher Submission

Product

Shopware 6

Vulnerable Version

v6.6.10.4

Fixed Version

-

CVE Number

CVE-2025-7954

Impact

medium

Homepage

https://github.com/shopware/shopware

Found

14.05.2025

By

Timo Müller (Office Munich), SEC Consult Vulnerability Lab

Management Summary

A race condition vulnerability has been identified in Shopware's voucher system that allows attackers to bypass intended voucher restrictions and exceed usage limitations.

Vendor description:

"Shopware 6 is an open commerce platform based on Symfony Framework and Vue and supported by a worldwide community and more than 1.500 community extensions"

Source: https://github.com/shopware/shopware

Business recommendation:

The vendor has not yet provided a patch for this vulnerability but has already publicized it through a GitHub issue. Please check the "Workaround" section of this advisory for up to date recommended mitigation measures.

Vulnerability overview/description:

1) Race Condition in Shopware Voucher Submission (CVE-2025-7954)
A race condition exists within the voucher system of the Shopware Core. Successful exploitation of this vulnerability allows an attacker to bypass voucher usage limits during the checkout process. This vulnerability exists due to the fact that validation of voucher codes is not an atomic operation. Due to this, limited vouchers can be used in multiple simultaneous checkouts.

In the worst case an attacker can abuse this vulnerability to use generated vouchers over their pre-set usability limit.

Proof of concept:

1) Race Condition in Shopware Voucher Submission (CVE-2025-7954)

Successful exploitation of this issue requires access to a valid restricted (e.g. one-time use) voucher. Further information about the exploitation process is withheld until an official patch by Shopware is available.

Vulnerable / tested versions:

The following version has been tested, which was the latest version available at the time of the vulnerability submission:

  • v6.6.10.4

Vendor contact timeline: 

2025-05-09 Contacting vendor through the security reporting form at https://www.shopware.com/en/contact/security-reporting/
2025-05-21 Asking for a status update, whether our form submission was received. Vendor confirms receipt.
2025-07-15 Asking for a another status update including a request for a rough patch timeline
2025-07-15 Vendor classifies this vulnerability as a not security-relevant bug. They also discloses this "bug" as a Shopware GitHub issue https://github.com/shopware/shopware/issues/11245
2025-07-15 Asking the vendor for a statement, why this submission is not rated as security-relevant
2025-07-15 The vendor does not rate this issue as security-relevant because merchants can recognize and cancel malicious orders
2025-07-25 Informing vendor that we will publish the finding, too. (Vendor already published it via Github)
2025-08-07 Publishing advisory.

Solution:

No official patch is currently available for this vulnerability. Patch availability status can be tracked via the GitHub issue at https://github.com/shopware/shopware/issues/11245


Workaround:

Until a patch is available, vouchers with usage limits should not be used. Such vouchers are:

  • one-time vouchers
  • vouchers with a restricted amount of activations

If vouchers with usage limits are used, it is suggested to review any orders connected to these vouchers for suspicious activity.

Advisory URL

https://sec-consult.com/vulnerability-lab/

 

EOF T. Müller / @2025

 

Interested to work with the experts of SEC Consult? Send us your application.
Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices

Back