Fluid Attacks Database

Description

Shopware allows Denial Of Service via password length

Impact

It's possible to pass long passwords that leads to Denial Of Service via forms in Storefront forms or Store-API.

Patches

Update to Shopware 6.6.10.3 or 6.5.8.17

Workarounds

For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	shopware/core	>=6.6.0.0 <6.6.10.3 \|\| >=6.7.0.0-rc1 <6.7.0.0-rc2 \|\| >=0 <6.5.8.17	6.6.10.3, 6.7.0.0-rc2, 6.5.8.17
packagist	shopware/platform	>=6.6.0.0 <6.6.10.3 \|\| >=6.7.0.0-rc1 <6.7.0.0-rc2 \|\| >=0 <6.5.8.17	6.6.10.3, 6.7.0.0-rc2, 6.5.8.17

Aliases

1. CVE-2025-301512. NVD-2025-301513. OSV-2025-301514. GHSA-cgfj-hj93-rmh25. GCVE-2025-30151

References

1. https://github.com/shopware/shopware/security/advisories/GHSA-cgfj-hj93-rmh22. https://github.com/shopware/shopware/releases/tag/v6.5.8.173. https://github.com/shopware/shopware/releases/tag/v6.6.10.34. https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2