GHSA-hh7j-6x3q-f52h
MEDIUMShopware 6 allows attackers to check for registered accounts through the store-api
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
shopware/core🐘shopware/platform🐘shopware/core🐘shopware/platform🐘shopware/core🐘shopware/platformReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.
Description
Impact
Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop.
Using the store-api endpoint /store-api/account/recovery-password you get the response
{"errors":[{"status":"404","code":"CHECKOUT__CUSTOMER_NOT_FOUND","title":"Not Found","detail":"No matching customer for the email \[email protected]\u0022 was found.","meta":{"parameters":{"email":"[email protected]"}}}]}
which indicates clearly that there is no account for this customer. In contrast you get a success response if the account was found.
Patches
Update to Shopware 6.6.10.3
Workarounds
For older versions of 6.5 or 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐘Packagist | shopware/core | ≥ 6.6.0.0&&< 6.6.10.3 | 6.6.10.3 |
| 🐘Packagist | shopware/platform | ≥ 6.6.0.0&&< 6.6.10.3 | 6.6.10.3 |
| 🐘Packagist | shopware/core | ≥ 6.7.0.0-rc1&&< 6.7.0.0-rc2 | 6.7.0.0-rc2 |
| 🐘Packagist | shopware/platform | ≥ 6.7.0.0-rc1&&< 6.7.0.0-rc2 | 6.7.0.0-rc2 |
| 🐘Packagist | shopware/core | all versions | 6.5.8.18 |
| 🐘Packagist | shopware/platform | all versions | 6.5.8.18 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for shopware/core. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update shopware/core to 6.6.10.3 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-hh7j-6x3q-f52h is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-hh7j-6x3q-f52h is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-hh7j-6x3q-f52h. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-hh7j-6x3q-f52h in your dependencies?
O3 detects GHSA-hh7j-6x3q-f52h across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.