CVE-2025-30151 Overview
CVE-2025-30151 is a denial-of-service vulnerability affecting Shopware, an open commerce platform. The flaw allows unauthenticated attackers to submit excessively long passwords through Storefront forms or the Store-API. Processing these oversized inputs exhausts server resources and renders the application unavailable to legitimate users.
The issue is classified under [CWE-20] Improper Input Validation. Shopware addressed the vulnerability in versions 6.6.10.3 and 6.5.8.17. Operators running the older 6.4 branch can apply equivalent protections through an official plugin.
Critical Impact
Unauthenticated remote attackers can trigger denial of service against Shopware storefronts by submitting long passwords to public-facing forms, disrupting commerce operations.
Affected Products
- Shopware versions prior to 6.6.10.3 on the 6.6.x branch
- Shopware versions prior to 6.5.8.17 on the 6.5.x branch
- Shopware 6.4.x (mitigation available via plugin)
- Shopware 6.7.0.0-rc1
Discovery Timeline
- 2025-04-08 - CVE-2025-30151 published to NVD
- 2025-09-10 - Last updated in NVD database
Technical Details for CVE-2025-30151
Vulnerability Analysis
The vulnerability resides in Shopware's input handling for password fields exposed by Storefront forms and the Store-API. The application accepts password values without enforcing a reasonable upper bound on length. When a long password is submitted, the backend attempts to process and hash it, consuming disproportionate CPU and memory resources.
Password hashing functions such as bcrypt and Argon2 are designed to be computationally expensive. Supplying multi-megabyte password strings amplifies that cost, allowing a small number of requests to saturate worker processes. This is a classic algorithmic complexity attack against a hashing pipeline.
Because the vulnerable endpoints are reachable over the network without authentication, attackers can mount the attack directly against any public Shopware storefront. The result is service degradation or full unavailability for shoppers and administrators.
Root Cause
The root cause is missing length validation on password input fields before they reach the password hashing routine. Shopware did not enforce a maximum size constraint on submitted credentials in registration, login, or password-reset workflows exposed through the Storefront and Store-API.
Attack Vector
An attacker sends HTTP POST requests to a public Shopware form, such as customer registration, login, or password reset, with a password field containing an extremely large string. Repeating these requests in parallel forces the server to allocate memory and execute hashing operations until worker pools are exhausted. No credentials, user interaction, or prior access are required.
No verified public proof-of-concept code is available. Refer to the GitHub Security Advisory GHSA-cgfj-hj93-rmh2 for vendor-supplied technical details.
Detection Methods for CVE-2025-30151
Indicators of Compromise
- HTTP POST requests to Shopware Storefront endpoints (/account/register, /account/login, /account/recover) or Store-API routes with abnormally large request bodies
- Spikes in PHP-FPM or web worker CPU utilization correlated with traffic to authentication endpoints
- Increased response times or HTTP 502/504 errors on customer-facing storefront pages
Detection Strategies
- Inspect web server access logs for POST requests with Content-Length values significantly exceeding typical form submissions to authentication routes.
- Apply Web Application Firewall (WAF) rules that flag or block requests containing password fields longer than a configured threshold, such as 128 characters.
- Correlate worker process exhaustion events with request patterns targeting /account/* and Store-API authentication endpoints.
Monitoring Recommendations
- Alert on sustained high CPU usage by PHP processes handling Shopware traffic.
- Track request rate and payload size distributions per endpoint and baseline normal behavior.
- Monitor Shopware application logs for repeated authentication attempts from the same source IP address.
How to Mitigate CVE-2025-30151
Immediate Actions Required
- Upgrade Shopware to version 6.6.10.3 or 6.5.8.17 without delay.
- For Shopware 6.4 deployments, install the vendor-provided security plugin that enforces password length limits.
- Deploy WAF or reverse-proxy rules that reject oversized request bodies on authentication endpoints until patching is complete.
Patch Information
Shopware released fixed versions 6.6.10.3 and 6.5.8.17 that enforce a maximum length on password inputs before hashing occurs. For the legacy 6.4 branch, equivalent protections ship as an official plugin. Full details are published in the Shopware GHSA-cgfj-hj93-rmh2 advisory. Shopware recommends moving to the latest release for full feature parity and continued support.
Workarounds
- Configure the upstream reverse proxy (Nginx, HAProxy, or a CDN) to cap request body size on /account/* and Store-API authentication routes.
- Add rate limiting on authentication endpoints to slow brute-force resource exhaustion attempts.
- Restrict access to the Store-API at the network layer where it is not required for public consumption.
# Nginx example: cap request body size on Shopware authentication routes
location ~ ^/(account|store-api)/ {
client_max_body_size 8k;
limit_req zone=auth_zone burst=10 nodelay;
proxy_pass http://shopware_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
