CVE-2025-30150: Shopware 6 allows attackers to check for registered accounts through the store-api
(updated )
Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop.
Using the store-api endpoint /store-api/account/recovery-password you get the response
{"errors":[{"status":"404","code":"CHECKOUT__CUSTOMER_NOT_FOUND","title":"Not Found","detail":"No matching customer for the email \u0022asdasfd@asdads.de\u0022 was found.","meta":{"parameters":{"email":"asdasfd@asdads.de"}}}]}
which indicates clearly that there is no account for this customer. In contrast you get a success response if the account was found.
References
- github.com/advisories/GHSA-hh7j-6x3q-f52h
- github.com/shopware/shopware
- github.com/shopware/shopware/releases/tag/v6.5.8.17
- github.com/shopware/shopware/releases/tag/v6.6.10.3
- github.com/shopware/shopware/releases/tag/v6.7.0.0-rc2
- github.com/shopware/shopware/security/advisories/GHSA-hh7j-6x3q-f52h
- nvd.nist.gov/vuln/detail/CVE-2025-30150
Code Behaviors & Features
Detect and mitigate CVE-2025-30150 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →