7.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-27892

CVE-2025-27892: Shopware Vulnerable to Blind SQL-injection in DAL aggregations

Impact

The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations” object. The ‘name’ field in this “aggregations” in nested object is vulnerable SQL-injection and can be exploited using SQL parameters.

Patches

Update to Shopware 6.6.10.3

Workarounds

For older versions of 6.5 or 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

Credit

Redteam Pentesting

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-27892

CVE-2025-27892:

7.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
shopware/core	composer	= 6.7.0.0-rc1	6.7.0.0-rc2
shopware/platform	composer	= 6.7.0.0-rc1	6.7.0.0-rc2
shopware/core	composer	>= 6.6.0.0, <= 6.6.10.2	6.6.10.3
shopware/platform	composer	>= 6.6.0.0, <= 6.6.10.2	6.6.10.3
shopware/core	composer	< 6.5.8.18	6.5.8.18
shopware/platform	composer	< 6.5.8.18	6.5.8.18

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the handling of the 'name' field within nested aggregation objects in Shopware's DAL (Data Abstraction Layer). The provided commit 0372c310349f9ad8e3401af69fc260378861b278 patches this vulnerability.

File Analysis: The primary change is in src/Core/Framework/DataAbstractionLayer/Dbal/EntityAggregator.php.
Method Identification: The method fetchAggregation is responsible for processing these aggregations. Before the patch, it had a direct, non-recursive check for invalid characters in the aggregation name: if (str_contains($aggregation->getName(), '?') || str_contains($aggregation->getName(), ':')). This check was insufficient for nested aggregations as stated in the vulnerability description.
Patch Analysis: The patch introduces a new private method validateAggregation(Aggregation $aggregation). This method performs the same check on getName() but crucially, if the aggregation is a BucketAggregation and contains a nested aggregation ($aggregation->getAggregation()), it calls validateAggregation recursively on the nested aggregation. The fetchAggregation method was modified to call $this->validateAggregation($aggregation); at its beginning, replacing its previous direct validation.
Vulnerable Function: Since fetchAggregation is the public-facing (within the class context, though it's private, it's the one that initiates the aggregation processing logic) method that handles the aggregation criteria and would have processed the malicious input (the aggregation name) prior to the fix, it is identified as the vulnerable function. The lack of recursive validation for nested aggregation names within fetchAggregation (before the patch) is the core of the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-27892: Shopware Vulnerable to Blind SQL-injection in DAL aggregations

Impact

Patches

Workarounds

Credit

CVE-2025-27892:

7.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

7.3

7.3

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

CVE-2025-27892: Shopware Vulnerable to Blind SQL-injection in DAL aggregations

Impact

Patches

Workarounds

Credit

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI