CVE-2024-27917: Shopware Information Disclosure Flaw

CVE-2024-27917 Overview

CVE-2024-27917 is a session cookie exposure vulnerability in Shopware, an open commerce platform built on the Symfony Framework and Vue. Starting with Shopware 6.5.8.0, 404 response pages are cached to improve performance. The Symfony Session Handler appends the session cookie to the response, and when this response is cached, subsequent visitors to a 404 page receive another user's session cookie. The flaw is tracked under [CWE-524: Use of Cache Containing Sensitive Information]. Shopware released version 6.5.8.7 to address the issue.

Critical Impact

Cached 404 responses can leak Symfony session cookies to unauthenticated visitors, enabling session hijacking and unauthorized account access on affected Shopware storefronts.

Affected Products

• Shopware 6.5.8.0 through 6.5.8.6
• Shopware Storefront component (versions prior to the patched commit)
• Deployments using the default Symfony Session Handler (file-based or non-Redis backends)

Discovery Timeline

• 2024-03-06 - CVE-2024-27917 published to NVD
• 2025-09-10 - Last updated in NVD database

Technical Details for CVE-2024-27917

Vulnerability Analysis

The vulnerability stems from an interaction between Shopware's HTTP cache layer and Symfony's default session handling. When a browser without an existing session requests a non-existent URL, Symfony's Session Handler creates a new session and assigns the resulting PHPSESSID cookie to the response object. Shopware's NotFoundSubscriber then stores that response in the HTTP cache.

Subsequent requests for the same 404 URL receive the cached response, including the original visitor's session cookie. Because the cookie is treated as valid by the application, any user who receives it inherits that session context. This results in cross-user session assignment and potential hijacking of authenticated sessions if a logged-in user later associates their account with the leaked session identifier.

Root Cause

The root cause is the absence of cookie sanitization in the NotFoundSubscriber cache path. The cached response includes a Set-Cookie header containing the Symfony session identifier. The cache key does not vary by session, so the same response — and the same cookie — is served to every visitor who hits the cached 404 entry.

Deployments using the PHP Redis extension for session storage do not trigger the exploit path because the Redis-backed handler does not emit the session cookie in the same response flow.

Attack Vector

An unauthenticated remote attacker requests any URL that returns a 404 on an affected Shopware storefront. If the response is the first to populate the cache entry, subsequent visitors receive the attacker-poisoned cookie, or the attacker receives a cookie tied to another user's pending session. The attacker can then replay the captured session identifier to access the victim's storefront context.

     */
    private bool $handled = false;

+   private string $sessionName;
+
    /**
     * @internal
     *
     * @param AbstractCacheTracer<Response> $cacheTracer
+    * @param array{name?: string} $sessionOptions
     */
    public function __construct(
        private readonly HttpKernelInterface $httpKernel,

Source: Shopware patch commit 7d9cb03. The patch introduces a $sessionName property and $sessionOptions constructor argument so the NotFoundSubscriber can identify and strip the session cookie before caching the response.

Detection Methods for CVE-2024-27917

Indicators of Compromise

• Multiple distinct client IP addresses presenting the same PHPSESSID (or configured session name) cookie value within a short time window.
• Cached 404 responses containing a Set-Cookie header for the Symfony session cookie.
• Unexpected session continuity across users, such as cart contents or wishlist data appearing for unauthenticated visitors.

Detection Strategies

• Inspect HTTP cache entries for 404 responses that include Set-Cookie headers tied to the session name.
• Correlate web access logs to identify reuse of identical session identifiers across multiple source IPs and user agents.
• Audit storefront sessions for ownership changes, including sessions transitioning from anonymous to authenticated without a fresh cookie issuance.

Monitoring Recommendations

• Alert on 404 cache hits that propagate Set-Cookie headers downstream from the reverse proxy or CDN.
• Track the Shopware version in use across all storefront nodes and flag any host running 6.5.8.0 through 6.5.8.6.
• Review CDN and HTTP cache configurations to confirm that responses with Set-Cookie headers are excluded from shared caches.

How to Mitigate CVE-2024-27917

Immediate Actions Required

• Upgrade Shopware to version 6.5.8.7 or later, which contains the official patch for CVE-2024-27917.
• Invalidate the existing HTTP cache after upgrading to purge any poisoned 404 entries that may still serve leaked cookies.
• Rotate all active storefront sessions by clearing the session store so any cookies leaked prior to the patch cannot be replayed.

Patch Information

Shopware addressed the issue in release v6.5.8.7. The fix is documented in GHSA-c2f9-4jmm-v45m and applied through the core commit 7d9cb03 and the storefront commit 3477e4a. The patch passes %session.storage.options% into the NotFoundSubscriber so the session cookie is removed before the 404 response is cached.

Workarounds

• Configure Shopware to use Redis for session storage via the PHP Redis extension, which bypasses the vulnerable code path.
• Disable HTTP caching for 404 responses until the upgrade can be deployed.
• Strip Set-Cookie headers from 404 responses at the reverse proxy or CDN layer as a defense-in-depth control.

# Example: configure Redis-backed sessions in Shopware (.env)
SHOPWARE_HTTP_CACHE_ENABLED=1
SESSION_HANDLER=redis
REDIS_URL=redis://127.0.0.1:6379/0