CVE-2025-29788: Sylius PayPal Plugin Payment Amount Manipulation Vulnerability
A vulnerability allows users to manipulate the final payment amount processed by PayPal. If a user modifies the item quantity in their shopping cart after initiating the PayPal Checkout process, PayPal will not receive the updated total amount. As a result, PayPal captures only the initially transmitted amount, while Sylius incorrectly considers the order fully paid based on the modified total. This flaw can be exploited both accidentally and intentionally, potentially enabling fraud by allowing customers to pay less than the actual order value.
References
- github.com/Sylius/PayPalPlugin
- github.com/Sylius/PayPalPlugin/commit/31e71b0457e5d887a6c19f8cfabb8b16125ec406
- github.com/Sylius/PayPalPlugin/commit/8a81258f965b7860d4bccb52942e4c5b53e6774d
- github.com/Sylius/PayPalPlugin/releases/tag/v1.6.1
- github.com/Sylius/PayPalPlugin/releases/tag/v1.7.1
- github.com/Sylius/PayPalPlugin/releases/tag/v2.0.1
- github.com/Sylius/PayPalPlugin/security/advisories/GHSA-pqq3-q84h-pj6x
- github.com/advisories/GHSA-pqq3-q84h-pj6x
- nvd.nist.gov/vuln/detail/CVE-2025-29788
Detect and mitigate CVE-2025-29788 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →