CVE-2025-67648 Overview
CVE-2025-67648 is a Reflected Cross-Site Scripting (XSS) vulnerability in Shopware, an open commerce platform. The flaw resides in AuthController.php, where the waitTime request parameter from the login page URL is rendered directly within a Twig template on the Storefront login page. Because the parameter lacks proper input validation and sanitization, attackers can inject arbitrary script content through a crafted URL. The issue affects Shopware versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0, and is fixed in 6.6.10.10 and 6.7.5.1. The vulnerability is tracked under [CWE-79].
Critical Impact
A successful attack tricks an authenticated or anonymous shopper into clicking a crafted URL, enabling script execution in the victim's browser session, session token theft, credential harvesting, or storefront defacement.
Affected Products
- Shopware 6.4.6.0 through 6.6.10.9
- Shopware 6.7.0.0 through 6.7.5.0
- Storefront component (AuthController.php login flow)
Discovery Timeline
- 2025-12-11 - CVE-2025-67648 published to NVD
- 2026-03-17 - Last updated in NVD database
Technical Details for CVE-2025-67648
Vulnerability Analysis
The vulnerability stems from unsafe handling of user-controlled query parameters in the Shopware Storefront login controller. The AuthController::loginPage method retrieves waitTime, loginError, and errorSnippet directly from the HTTP request object using $request->get(). These values are then passed into the Twig template login.html.twig without strict typing or input validation.
Within the template, the waitTime value is interpolated into a translation string and processed by the sw_sanitize filter. However, the default sw_sanitize configuration does not strip all script-bearing payloads when the value is injected into a translation context. This allows reflected script content from the URL to reach the rendered HTML.
Root Cause
The root cause is two-fold. First, the controller trusted raw GET parameters instead of resolving controlled, typed values from the request attribute bag. Second, the Twig template applied sw_sanitize without enabling its stricter mode and did not enforce numeric typing on waitTime.
Attack Vector
An attacker crafts a malicious URL pointing to the Shopware Storefront login page with an XSS payload supplied in the waitTime parameter. The victim must click the link or be redirected to it, satisfying the user interaction requirement. Upon page rendering, the injected payload executes in the victim's browser under the storefront origin.
// Patched code in src/Storefront/Controller/AuthController.php
// Source: https://github.com/shopware/shopware/commit/c9242c02c84595d9fa3e2adf6a264bc90a657b58
'redirectParameters' => $request->get('redirectParameters', json_encode([])),
'errorRoute' => $request->attributes->get('_route'),
'page' => $page,
// Before (vulnerable):
// 'loginError' => (bool) $request->get('loginError'),
// 'waitTime' => $request->get('waitTime'),
// 'errorSnippet' => $request->get('errorSnippet'),
// After (fixed):
'loginError' => $request->attributes->getBoolean('loginError'),
'waitTime' => $request->attributes->get('waitTime'),
'errorSnippet' => $request->attributes->get('errorSnippet'),
'data' => $data,
The fix moves parameter resolution from the raw query string ($request->get) to the request attributes bag ($request->attributes->get), which is populated by trusted internal routing logic. The companion Twig change enforces numeric formatting on waitTime and enables strict sanitization on errorSnippet:
# Patched login.html.twig
# Source: https://github.com/shopware/shopware/commit/c9242c02c84595d9fa3e2adf6a264bc90a657b58
# Before:
# content: errorSnippet|trans|sw_sanitize
# content: 'account.loginThrottled'|trans({'%seconds%': waitTime})|sw_sanitize
# After:
content: errorSnippet|trans|sw_sanitize({}, true)
content: 'account.loginThrottled'|trans({'%seconds%': waitTime|number_format})|sw_sanitize
Detection Methods for CVE-2025-67648
Indicators of Compromise
- HTTP requests to the Storefront login route (typically /account/login) containing waitTime, loginError, or errorSnippet query parameters with non-numeric or HTML-encoded values.
- URL-encoded <script>, onerror=, javascript:, or <svg payloads in the waitTime parameter within web server access logs.
- Outbound requests from shopper browsers to attacker-controlled domains shortly after visiting a Shopware login URL with anomalous query strings.
Detection Strategies
- Inspect access logs and WAF telemetry for query strings hitting the login endpoint where waitTime contains anything other than a numeric value.
- Correlate referrer headers pointing to external sites with login URLs containing populated errorSnippet or waitTime parameters.
- Hunt for clusters of identical malicious URLs distributed via email or messaging platforms targeting your storefront domain.
Monitoring Recommendations
- Enable verbose HTTP request logging on the Shopware Storefront and forward logs to a centralized analytics platform for query parameter inspection.
- Alert on Content Security Policy (CSP) violation reports originating from /account/login and adjacent routes.
- Track Shopware release versions across all storefront deployments to confirm patched builds are in production.
How to Mitigate CVE-2025-67648
Immediate Actions Required
- Upgrade Shopware to version 6.6.10.10 or 6.7.5.1 as soon as possible, depending on your branch.
- Audit web server logs for the past several months for malicious waitTime, loginError, or errorSnippet parameter values targeting the login route.
- Rotate session secrets and force re-authentication for storefront customers if exploitation indicators are found.
Patch Information
Shopware addressed the issue in commit c9242c02c84595d9fa3e2adf6a264bc90a657b58, released as part of versions 6.6.10.10 and 6.7.5.1. The patch sources waitTime, loginError, and errorSnippet from the routing attribute bag rather than the query string, and tightens Twig sanitization. Refer to the Shopware Security Advisory GHSA-6w82-v552-wjw2 and the GitHub commit details.
Workarounds
- Deploy a Web Application Firewall (WAF) rule that rejects requests to /account/login when waitTime contains non-digit characters.
- Enforce a strict Content Security Policy on the Storefront that blocks inline scripts and restricts script sources to trusted origins.
- If patching must be delayed, override the affected Twig template to coerce waitTime through |number_format and apply sw_sanitize({}, true) to errorSnippet.
# Example ModSecurity rule to block non-numeric waitTime values
SecRule REQUEST_URI "@beginsWith /account/login" \
"chain,phase:2,deny,status:400,id:1006748,msg:'CVE-2025-67648 waitTime XSS attempt'"
SecRule ARGS:waitTime "!@rx ^[0-9]{1,6}$" "t:none,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

