CVE-2025-30150

08.04.2025, 14:15

Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-api endpoint /store-api/account/recovery-password you get the response, which indicates clearly that there is no account for this customer. In contrast you get a success response if the account was found. This vulnerability is fixed in Shopware 6.6.10.3 or 6.5.8.17. For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
GitHub_M	CNA	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 18%

Vendor	Product	Version
shopware	shopware	𝑥 < 6.5.8.18
shopware	shopware	6.6.0.0 ≤ 𝑥 < 6.6.10.3
shopware	shopware	6.7.0.0:rc1

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/shopware/shopware/security/advisories/GHSA-hh7j-6x3q-f52h

Common Weakness Enumeration

CWE-204 - Observable Response Discrepancy
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

References

https://github.com/shopware/shopware/security/advisories/GHSA-hh7j-6x3q-f52h