Miggo Logo
Miggo Vulnerability Database
CVE-2025-7954

CVE-2025-7954: Shopware race condition bypasses voucher restrictions

N/A

CVSS Score

Basic Information

CVE ID
CVE-2025-7954
GHSA ID
GHSA-27gv-mg7w-mm34
EPSS Score
0.1003%
CWE
CWE-362
Published
8/6/2025
Updated
8/6/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
shopware/platformcomposer<= 6.6.10.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability exists in the PromotionRedemptionUpdater.php file, specifically in the orderPlaced method. This method was responsible for updating the redemption count of a promotion. The vulnerability is a classic race condition where the application reads the current count, increments it, and writes it back to the database without any locking mechanism. This allows multiple requests to read the same value before it's updated, leading to an incorrect final count and allowing the voucher to be used more times than intended.

The patch addresses this by changing the event from CheckoutOrderPlacedEvent to OrderEvents::ORDER_WRITTEN_EVENT and renaming the function to orderUpdated. More importantly, the logic was changed to fetch the total count of the promotion from the order_line_item table and update the order_count with this value. This ensures that the update is atomic and based on the actual state of the database, thus preventing the race condition.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* r*** *on*ition vuln*r**ility **s ***n i**nti*i** in S*opw*r*'s vou***r syst*m o* S*opw*r* v*.*.**.* t**t *llows *tt**k*rs to *yp*ss int*n*** vou***r r*stri*tions *n* *x**** us*** limit*tions.

Reasoning

T** vuln*r**ility *xists in t** `PromotionR***mptionUp**t*r.p*p` *il*, sp**i*i**lly in t** `or**rPl****` m*t*o*. T*is m*t*o* w*s r*sponsi*l* *or up**tin* t** r***mption *ount o* * promotion. T** vuln*r**ility is * *l*ssi* r*** *on*ition w**r* t** *pp