7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-30151

GHSA ID

GHSA-cgfj-hj93-rmh2

EPSS Score

0.34678%

CWE

CWE-20

Published

4/8/2025

Updated

4/8/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-30151

CVE-2025-30151: Shopware allows Denial Of Service via password length

Impact

It's possible to pass long passwords that leads to Denial Of Service via forms in Storefront forms or Store-API.

Patches

Update to Shopware 6.6.10.3 or 6.5.8.17

Workarounds

For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-30151

CVE-2025-30151:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-30151

GHSA ID

GHSA-cgfj-hj93-rmh2

EPSS Score

0.34678%

CWE

CWE-20

Published

4/8/2025

Updated

4/8/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
shopware/core	composer	>= 6.6.0.0, < 6.6.10.3	6.6.10.3
shopware/platform	composer	>= 6.6.0.0, < 6.6.10.3	6.6.10.3
shopware/core	composer	>= 6.7.0.0-rc1, < 6.7.0.0-rc2	6.7.0.0-rc2
shopware/platform	composer	>= 6.7.0.0-rc1, < 6.7.0.0-rc2	6.7.0.0-rc2
shopware/core	composer	< 6.5.8.17	6.5.8.17
shopware/platform	composer	< 6.5.8.17	6.5.8.17

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Unable to fetch commit information using get_repo_commits. The vulnerability description indicates issues in password handling within Storefront forms and the Store-API. However, without specific commit diffs, I cannot identify the exact vulnerable functions or provide patch evidence. The fix likely involves input validation for password length in authentication or registration modules.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-30151: Shopware allows Denial Of Service via password length

Impact

Patches

Workarounds

CVE-2025-30151:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-30151: Shopware allows Denial Of Service via password length

Impact

Patches

Workarounds

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

7.5

7.5

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI