Fluid Attacks Database

Description

Shopware 6 allows attackers to check for registered accounts through the store-api

Impact

Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop.

Using the store-api endpoint /store-api/account/recovery-password you get the response

{"errors":[{"status":"404","code":"CHECKOUT__CUSTOMER_NOT_FOUND","title":"Not Found","detail":"No matching customer for the email \[email protected]\u0022 was found.","meta":{"parameters":{"email":"[email protected]"}}}]}

which indicates clearly that there is no account for this customer. In contrast you get a success response if the account was found.

Patches

Update to Shopware 6.6.10.3

Workarounds

For older versions of 6.5 or 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	shopware/core	>=6.6.0.0 <6.6.10.3 \|\| =6.7.0.0-rc1 \|\| >=6.7.0.0-rc1 <6.7.0.0-rc2 \|\| >=0 <6.5.8.18	6.6.10.3, 6.7.0.0-rc2, 6.5.8.18
packagist	shopware/platform	>=6.6.0.0 <6.6.10.3 \|\| =6.7.0.0-rc1 \|\| >=6.7.0.0-rc1 <6.7.0.0-rc2 \|\| >=0 <6.5.8.18	6.6.10.3, 6.7.0.0-rc2, 6.5.8.18

Aliases

1. CVE-2025-301502. NVD-2025-301503. OSV-2025-301504. GHSA-hh7j-6x3q-f52h5. GCVE-2025-30150

References

1. https://github.com/shopware/shopware/security/advisories/GHSA-hh7j-6x3q-f52h2. https://github.com/shopware/shopware/releases/tag/v6.5.8.173. https://github.com/shopware/shopware/releases/tag/v6.6.10.34. https://github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.