Shopware’s Voucher Chaos: Unfixed Bug Lets Shoppers Race to Unlimited Discounts!

A race condition in Shopware voucher submission (CVE-2025-7954) lets attackers bypass usage limits. The vendor calls it a “bug” and merchants can cancel orders, but until a patch arrives, using limited vouchers is like playing roulette with your profits.

1P
Published: August 19, 2025 4:06 amAdded: August 18, 2025 at 9:37 pmAssembled by: The Editor
Pro Dashboard

Hot Take:

Well, it looks like Shopware’s voucher system is racing faster than a caffeinated hamster on a wheel! With no patch in sight, merchants might as well be handing out free candy in a kindergarten. Memo to Shopware: When you call a security bug just a ‘bug,’ it doesn’t make it any less of a headache for merchants!

Key Points:

  • Shopware 6 has a race condition vulnerability in its voucher system, allowing misuse of voucher codes.
  • The vulnerability, CVE-2025-7954, allows attackers to bypass usage limits on vouchers.
  • Shopware has acknowledged the issue but hasn’t provided a patch yet.
  • Merchants are advised to avoid using vouchers with usage limits until a solution is available.
  • SEC Consult disclosed the vulnerability after Shopware published it as a non-security issue.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?