CVE-2025-7954: Shopware race condition bypasses voucher restrictions

August 6, 2025

A race condition vulnerability has been identified in Shopware’s voucher system of Shopware v6.6.10.4 that allows attackers to bypass intended voucher restrictions and exceed usage limitations.

References

github.com/advisories/GHSA-27gv-mg7w-mm34
github.com/shopware/shopware
github.com/shopware/shopware/issues/11245
nvd.nist.gov/vuln/detail/CVE-2025-7954

Code Behaviors & Features

Detect and mitigate CVE-2025-7954 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →