2.7

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-3cpp-fv95-mpr5

EPSS Score

CWE

CWE-918

Published

10/21/2025

Updated

10/21/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-3cpp-fv95-mpr5

GHSA-3cpp-fv95-mpr5: Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice

Impact

This vulnerability allows malicious actors to force the application server to send HTTP requests to both external and internal servers. In certain cases, this may lead to access to internal resources such as databases, file systems, or other services that are not supposed to be directly accessible from the internet.

The overall impact of this vulnerability is considered limited, as the functionality is highly restricted and only processes IMG tags.

Description

Server-Side Request Forgery (SSRF) is a vulnerability that enables a malicious actor to manipulate an application server into performing HTTP requests to arbitrary domains. SSRF is commonly exploited to make the server initiate requests to its internal systems or other services within the same network, which are typically not exposed to external users. In some cases, SSRF can also be used to target external systems. A successful SSRF attack can result in unauthorized actions or access to data within the organization, the web application itself, or other backend systems the application communicates with. In worst-case scenario, a SSRF vulnerability can be exploited to execute malicious code on the server.

Applicability

The PDF generator used to create order invoices contains a Server-Side Request Forgery (SSRF) vulnerability. Administrative users can generate invoices for completed orders and have the option to add a note to the invoice. This input is currently not adequately filtered for (malicious) HTML characters. When a malicious actor submits an IMG tag as input, the PDF generator attempts to retrieve an external image while processing the IMG tag. As a result, the application server can be used to perform an HTTP request, enabling the malicious actors to reach both external and internal servers. To exploit this vulnerability, an admin account is required.

Reproduction

To reproduce this vulnerability, the steps below can be followed.

Log in as an admin and navigate to the following URL: https://<your-site>.shopware.store/admin#/sw/order/detail/0198e0afa2cb70ceb76ad64fc7864ca6/documents?limit=25&page=1&term=&sortBy&sortDirection=ASC&naturalSorting=false
Click the button ‘Create document’ and create a ‘Partial cancellation’ document.
As a comment add the following code:

<img src="<malicious image link>" width="250" height="100"/>

Press the preview button to view the PFD.
Observe that the image is shown in the PDF.

(GitHub Advisory)

2.7

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-3cpp-fv95-mpr5

EPSS Score

CWE

CWE-918

Published

10/21/2025

Updated

10/21/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
shopware/platform	composer	>= 6.7.0.0, < 6.7.3.1	6.7.3.1
shopware/platform	composer	< 6.6.10.7	6.6.10.7
shopware/core	composer	>= 6.7.0.0, < 6.7.3.1	6.7.3.1
shopware/core	composer	< 6.6.10.7	6.6.10.7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a Server-Side Request Forgery (SSRF) that occurs during the generation of PDF documents for orders. The root cause is improper sanitization of user-provided input, specifically the 'documentComment' field, which is included in the generated documents.

The analysis of the provided patch f32737b34798d4800b81c67efee17905380d2be4 shows that the fix involves modifying Twig templates. The key change is in src/Core/Framework/Resources/views/documents/includes/comment.html.twig, where the sw_sanitize filter is now called with (null, true). This enables a stricter sanitization mode that strips all HTML tags, including the malicious <img> tags that cause the SSRF.

The vulnerability is triggered when a document is rendered. The test files modified in the patch (InvoiceRendererTest.php, CreditNoteRendererTest.php, etc.) point to the Shopware\Core\Checkout\Document\Renderer\* classes as being responsible for this rendering process. Although the patch does not modify these PHP classes directly, they are the ones that orchestrate the rendering of the vulnerable Twig templates. Therefore, their render methods (a conventional name for such methods) are the primary functions that would appear in a runtime profile during exploitation.

Additionally, the Shopware\Core\Framework\Adapter\Twig\Extension\SanitizeExtension::sw_sanitize function is identified as a key component. The vulnerability stems from its insecure default behavior. The patch remediates the vulnerability by invoking this function with parameters that enforce stricter sanitization.

In summary, an attacker with admin privileges can inject an <img> tag with a malicious src attribute into the document comment. When the server generates the PDF for the document, the PDF generation library attempts to fetch the image from the specified URL, leading to an SSRF attack. The identified functions are all part of this vulnerable document generation process.

Vulnerable functions

Shopware\Core\Checkout\Document\Renderer\InvoiceRenderer::render

src/Core/Checkout/Document/Renderer/InvoiceRenderer.php

This function is responsible for rendering the invoice document. It uses Twig templates that were vulnerable to SSRF because they did not properly sanitize the 'documentComment' input, allowing malicious `<img>` tags to be injected. The renderer passes the user-controlled data to the vulnerable template, leading to the SSRF when the PDF is generated.

Shopware\Core\Checkout\Document\Renderer\CreditNoteRenderer::render

src/Core/Checkout/Document/Renderer/CreditNoteRenderer.php

This function is responsible for rendering the credit note document. It uses Twig templates that were vulnerable to SSRF because they did not properly sanitize the 'documentComment' input, allowing malicious `<img>` tags to be injected. The renderer passes the user-controlled data to the vulnerable template, leading to the SSRF when the PDF is generated.

Shopware\Core\Checkout\Document\Renderer\DeliveryNoteRenderer::render

src/Core/Checkout/Document/Renderer/DeliveryNoteRenderer.php

This function is responsible for rendering the delivery note document. It uses Twig templates that were vulnerable to SSRF because they did not properly sanitize the 'documentComment' input, allowing malicious `<img>` tags to be injected. The renderer passes the user-controlled data to the vulnerable template, leading to the SSRF when the PDF is generated.

Shopware\Core\Checkout\Document\Renderer\StornoRenderer::render

src/Core/Checkout/Document/Renderer/StornoRenderer.php

This function is responsible for rendering the cancellation invoice (storno) document. It uses Twig templates that were vulnerable to SSRF because they did not properly sanitize the 'documentComment' input, allowing malicious `<img>` tags to be injected. The renderer passes the user-controlled data to the vulnerable template, leading to the SSRF when the PDF is generated.

Shopware\Core\Framework\Adapter\Twig\Extension\SanitizeExtension::sw_sanitize

src/Core/Framework/Adapter/Twig/Extension/SanitizeExtension.php

This Twig filter is used for sanitizing content. The vulnerability was caused by its default configuration, which did not strip `<img>` tags, allowing for SSRF. While not directly calling the PDF generator, its insecure default is a root cause of the vulnerability. Any function calling this without the correct parameters would be part of the vulnerable execution flow.

WAF Protection Rules

WAF Rule

### Imp**t T*is vuln*r**ility *llows m*li*ious **tors to *or** t** *ppli**tion s*rv*r to s*n* *TTP r*qu*sts to *ot* *xt*rn*l *n* int*rn*l s*rv*rs. In **rt*in **s*s, t*is m*y l*** to ****ss to int*rn*l r*sour**s su** *s **t***s*s, *il* syst*ms, or ot*

Reasoning

T** vuln*r**ility is * S*rv*r-Si** R*qu*st *or**ry (SSR*) t**t o**urs *urin* t** **n*r*tion o* P** *o*um*nts *or or**rs. T** root **us* is improp*r s*nitiz*tion o* us*r-provi*** input, sp**i*i**lly t** '*o*um*nt*omm*nt' *i*l*, w*i** is in*lu*** in t*

2.7

Basic Information

Concerned about an active attack path?

GHSA-3cpp-fv95-mpr5: Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice

Impact

Description

Applicability

Reproduction

2.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI