A recently disclosed SQL injection vulnerability in older versions of the Shopware platform has raised concerns among online shop operators.
Although Shopware has addressed the issue in its latest release (version 6.5.8.13), it has been revealed that the fix provided by the Shopware Security Plugin for older versions remains incomplete.
This vulnerability (CVE-2025-27892) enables attackers to exploit a critical flaw in the API endpoints, potentially leading to unauthorized database access and privilege escalation.
.png
)
The vulnerability resides in the aggregations field used in search-related endpoints such as /api/search/order.
While the security plugin (Shopware Security Plugin 6 version 2.0.10) attempts to patch the vulnerability, it fails to sanitize nested aggregation objects effectively.
This oversight leaves systems running older versions of Shopware still susceptible to exploitation, even if the security plugin is installed.
The vulnerability particularly affects Shopware versions prior to 6.5.8.13.
Technical Details of the Exploit
The vulnerability lies in the way the aggregations field is processed in API requests.
Attackers can inject special characters such as ? or : into the name field of nested aggregation objects, exploiting reserved syntax used for prepared statements.
Moreover, the value field in the filter object can become a vehicle for injecting malicious SQL statements.
For instance, an attacker could craft a payload resembling the following:
json { "filter": [ { "type": "equals", "field": "transactions.stateMachineState.technicalName", "value": "paid` FROM `order`; SELECT SLEEP(5); --" } ], "aggregations": [ { "type": "histogram", "name": "order_sum_bucket", "field": "orderDateTime", "interval": "day", "aggregation": { "type": "sum", "name": "totalAmount ? ? --", "field": "amountTotal" } } ] }
This payload demonstrates how an attacker could inject SQL code to compromise the database, potentially escalating access privileges or extracting sensitive information.
Impact and Risk Assessment
The severity of the vulnerability depends largely on the exposure of Shopware APIs and the privileges of the compromised user accounts.
If attackers gain access to endpoints of the Store API or Admin API, they can utilize the vulnerability to interact with the database.
For backend users with low privileges, the vulnerability poses a medium risk as attackers can escalate their access.
However, if search-related endpoints of the Store API are publicly exposed, the risk escalates to high due to the direct access attackers can gain to exploit the database.
According to the researchers, this flaw underscores the importance of securing API endpoints and reviewing plugin-based fixes thoroughly.
Shop owners who rely on older versions often use the Shopware Security Plugin as an interim solution, but this vulnerability reveals the limitations of incomplete fixes.
Shopware AG has addressed this vulnerability in version 6.5.8.13 of its platform.
For customers unable to upgrade immediately, the Shopware Security Plugin 6.2.0.11 has been released to mitigate the issue.
However, users are strongly encouraged to update their main Shopware version to ensure comprehensive protection.
The flawed security plugin’s implementation had failed to properly sanitize nested aggregation objects, focusing only on the top-level fields.
A revised approach introduced in version 6.5.8.13 successfully prevents attackers from exploiting the vulnerability.
The issue was first identified on February 12, 2025, and subsequently disclosed to Shopware on February 24, 2025.
The vendor reviewed the proposed fix, and after collaborative testing, the advisory was published alongside the patch on April 8, 2025.
Although Shopware has acted promptly to resolve the vulnerability, customers operating older versions need to assess their systems and implement the fixes provided either through the Shopware Security Plugin update or by upgrading to the latest release.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
