CVE-2025-30151

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-30151

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30151.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-30151

Aliases

GHSA-cgfj-hj93-rmh2

Published

2025-04-08T13:46:30.629Z

Modified

2026-02-05T09:55:59.901963Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Shopware allows Denial Of Service via password length

Details

Shopware is an open commerce platform. It's possible to pass long passwords that leads to Denial Of Service via forms in Storefront forms or Store-API. This vulnerability is fixed in 6.6.10.3 or 6.5.8.17. For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/30xxx/CVE-2025-30151.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-20"
    ]
}

References

Affected packages

Git / github.com/shopware/shopware

Affected ranges

Type

GIT

Repo

https://github.com/shopware/shopware

Events

Introduced

Fixed

55bce12f712aa77bf9b33839b1fc7fc59a9675c1

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "6.5.8.17"
        }
    ]
}

Type

GIT

Repo

https://github.com/shopware/shopware

Events

Introduced

b0ae9ef3fae80afcc4f38401c09037fa7adc57b0

Fixed

fde02b7dc7e7f3a8ad537ccea0663aa688db87eb

Database specific

{
    "versions": [
        {
            "introduced": "6.6.0.0"
        },
        {
            "fixed": "6.6.10.3"
        }
    ]
}

Type

GIT

Repo

https://github.com/shopware/shopware

Events

Introduced

19ed8e5565e44292e30bdf767bda0212a0b6a0a9

Fixed

ac87132f8832392fffd5d2313546e6d790e18862

Database specific

{
    "versions": [
        {
            "introduced": "6.7.0.0-rc1"
        },
        {
            "fixed": "6.7.0.0-rc2"
        }
    ]
}

Affected versions

v6.*

v6.0.0+dp1

v6.0.0+ea1

v6.0.0+ea1.1

v6.0.0+ea2

v6.1.0

v6.1.0-rc1

v6.1.0-rc2

v6.1.0-rc3

v6.1.0-rc4

v6.1.1

v6.1.2

v6.1.3

v6.1.4

v6.1.5

v6.2.0

v6.2.0-RC1

v6.2.1

v6.2.2

v6.2.3

v6.3.0.0

v6.3.0.1

v6.3.0.2

v6.3.3.0

v6.3.3.1

v6.3.4.1

v6.3.5.0

v6.4.1.0

v6.4.1.1

v6.4.1.2

v6.4.10.0

v6.4.10.1

v6.4.11.0

v6.4.11.1

v6.4.13.0

v6.4.14.0

v6.4.15.0

v6.4.15.1

v6.4.15.2

v6.4.16.0

v6.4.16.1

v6.4.17.0

v6.4.17.1

v6.4.17.2

v6.4.3.0

v6.4.3.1

v6.4.4.0

v6.4.4.1

v6.4.5.0

v6.4.5.1

v6.4.6.0

v6.4.6.1

v6.4.8.0

v6.4.8.1

v6.4.8.2

v6.4.9.0

v6.5.0.0

v6.5.0.0-rc1

v6.5.0.0-rc2

v6.5.0.0-rc3

v6.5.0.0-rc4

v6.5.1.0

v6.5.1.1

v6.5.2.0

v6.5.3.0

v6.5.3.1

v6.5.3.2

v6.5.3.3

v6.5.4.0

v6.5.5.0

v6.5.5.1

v6.5.5.2

v6.5.7.0

v6.5.7.1

v6.5.7.2

v6.5.7.3

v6.5.7.4

v6.5.8.10

v6.5.8.11

v6.5.8.12

v6.5.8.15

v6.5.8.16

v6.5.8.3

v6.5.8.5

v6.5.8.8

v6.5.8.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30151.json"