7.5

CVSS Score

Basic Information

CVE ID

CVE-2025-30151

GHSA ID

GHSA-cgfj-hj93-rmh2

EPSS Score

CWE

CWE-20

Published

4/8/2025

Updated

4/8/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-30151

CVE-2025-30151:
Shopware allows Denial Of Service via password length

Impact

It's possible to pass long passwords that leads to Denial Of Service via forms in Storefront forms or Store-API.

Patches

Update to Shopware 6.6.10.3 or 6.5.8.17

Workarounds

For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

(GitHub Advisory)

7.5

CVSS Score

Basic Information

CVE ID

CVE-2025-30151

GHSA ID

GHSA-cgfj-hj93-rmh2

EPSS Score

CWE

CWE-20

Published

4/8/2025

Updated

4/8/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
shopware/core	composer	>= 6.6.0.0, < 6.6.10.3	6.6.10.3
shopware/platform	composer	>= 6.6.0.0, < 6.6.10.3	6.6.10.3
shopware/core	composer	>= 6.7.0.0-rc1, < 6.7.0.0-rc2	6.7.0.0-rc2
shopware/platform	composer	>= 6.7.0.0-rc1, < 6.7.0.0-rc2	6.7.0.0-rc2
shopware/core	composer	< 6.5.8.17	6.5.8.17
shopware/platform	composer	< 6.5.8.17	6.5.8.17

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Unable to fetch commit information using get_repo_commits. The vulnerability description indicates issues in password handling within Storefront forms and the Store-API. However, without specific commit diffs, I cannot identify the exact vulnerable functions or provide patch evidence. The fix likely involves input validation for password length in authentication or registration modules.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t It's possi*l* to p*ss lon* p*sswor*s t**t l***s to **ni*l O* S*rvi** vi* *orms in Stor**ront *orms or Stor*-*PI. ### P*t***s Up**t* to S*opw*r* *.*.**.* or *.*.*.** ### Work*roun*s *or ol**r v*rsions o* *.*, *orr*spon*in* s**urity m**su

Reasoning

Un**l* to **t** *ommit in*orm*tion usin* **t_r*po_*ommits. T** vuln*r**ility **s*ription in*i**t*s issu*s in p*sswor* **n*lin* wit*in Stor**ront *orms *n* t** Stor*-*PI. *ow*v*r, wit*out sp**i*i* *ommit *i**s, I **nnot i**nti*y t** *x**t vuln*r**l* *

7.5

Basic Information

Concerned about an active attack path?

CVE-2025-30151: Shopware allows Denial Of Service via password length

Impact

Patches

Workarounds

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-30151:
Shopware allows Denial Of Service via password length

Vulnerability Intelligence
Miggo AI