CVE-2025-7954

Summary

A race condition vulnerability has been identified in Shopware's voucher system of Shopware v6.6.10.4 that allows attackers to bypass intended voucher restrictions and exceed usage limitations.

Affected Software

VendorProductVersion RangeStatus
ShopwareShopware6.6.xaffected
ShopwareShopware6.7.xaffected

Weaknesses

  • CWE-362: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Workarounds

Do not use one-time voucher codes until issue is fixed.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

CVE Program Container

Additional References

References