CVE-2024-22408 HIGH

CVE-2024-22408: Server-Side Request Forgery (SSRF) in Shopware Flow Builder

Vendor Shopware
Product shopware
Weakness CWE-918 · SSRF
Published January 16, 2024
Last update June 17, 2025

CVSS base score

7.6/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N

What the vulnerability does

01Description

Shopware is an open headless commerce platform. The implemented Flow Builder functionality in the Shopware application does not adequately validate the URL used when creating the “call webhook” action. This enables malicious users to perform web requests to internal hosts. This issue has been fixed in the Commercial Plugin release 6.5.7.4 or with the Security Plugin. For installations with Shopware 6.4 the Security plugin is recommended to be installed and up to date. For older versions of 6.4 and 6.5 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

Key dates

02Disclosure timeline

January 16, 2024 CVE published
June 17, 2025 Record updated