{"id":"CVE-2025-30151","summary":"Shopware allows Denial Of Service via password length","details":"Shopware is an open commerce platform. It's possible to pass long passwords that leads to Denial Of Service via forms in Storefront forms or Store-API. This vulnerability is fixed in 6.6.10.3 or 6.5.8.17. For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.","aliases":["GHSA-cgfj-hj93-rmh2"],"modified":"2026-02-05T09:55:59.901963Z","published":"2025-04-08T13:46:30.629Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/30xxx/CVE-2025-30151.json","cwe_ids":["CWE-20"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/30xxx/CVE-2025-30151.json"},{"type":"ADVISORY","url":"https://github.com/shopware/shopware/security/advisories/GHSA-cgfj-hj93-rmh2"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30151"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/shopware/shopware","events":[{"introduced":"0"},{"fixed":"55bce12f712aa77bf9b33839b1fc7fc59a9675c1"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"6.5.8.17"}]}},{"type":"GIT","repo":"https://github.com/shopware/shopware","events":[{"introduced":"b0ae9ef3fae80afcc4f38401c09037fa7adc57b0"},{"fixed":"fde02b7dc7e7f3a8ad537ccea0663aa688db87eb"}],"database_specific":{"versions":[{"introduced":"6.6.0.0"},{"fixed":"6.6.10.3"}]}},{"type":"GIT","repo":"https://github.com/shopware/shopware","events":[{"introduced":"19ed8e5565e44292e30bdf767bda0212a0b6a0a9"},{"fixed":"ac87132f8832392fffd5d2313546e6d790e18862"}],"database_specific":{"versions":[{"introduced":"6.7.0.0-rc1"},{"fixed":"6.7.0.0-rc2"}]}}],"versions":["v6.0.0+dp1","v6.0.0+ea1","v6.0.0+ea1.1","v6.0.0+ea2","v6.1.0","v6.1.0-rc1","v6.1.0-rc2","v6.1.0-rc3","v6.1.0-rc4","v6.1.1","v6.1.2","v6.1.3","v6.1.4","v6.1.5","v6.2.0","v6.2.0-RC1","v6.2.1","v6.2.2","v6.2.3","v6.3.0.0","v6.3.0.1","v6.3.0.2","v6.3.3.0","v6.3.3.1","v6.3.4.1","v6.3.5.0","v6.4.1.0","v6.4.1.1","v6.4.1.2","v6.4.10.0","v6.4.10.1","v6.4.11.0","v6.4.11.1","v6.4.13.0","v6.4.14.0","v6.4.15.0","v6.4.15.1","v6.4.15.2","v6.4.16.0","v6.4.16.1","v6.4.17.0","v6.4.17.1","v6.4.17.2","v6.4.3.0","v6.4.3.1","v6.4.4.0","v6.4.4.1","v6.4.5.0","v6.4.5.1","v6.4.6.0","v6.4.6.1","v6.4.8.0","v6.4.8.1","v6.4.8.2","v6.4.9.0","v6.5.0.0","v6.5.0.0-rc1","v6.5.0.0-rc2","v6.5.0.0-rc3","v6.5.0.0-rc4","v6.5.1.0","v6.5.1.1","v6.5.2.0","v6.5.3.0","v6.5.3.1","v6.5.3.2","v6.5.3.3","v6.5.4.0","v6.5.5.0","v6.5.5.1","v6.5.5.2","v6.5.7.0","v6.5.7.1","v6.5.7.2","v6.5.7.3","v6.5.7.4","v6.5.8.10","v6.5.8.11","v6.5.8.12","v6.5.8.15","v6.5.8.16","v6.5.8.3","v6.5.8.5","v6.5.8.8","v6.5.8.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30151.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}