CVE-2025-7954: 
PHP vulnerability analysis and mitigation

A race condition vulnerability has been identified in Shopware's voucher system affecting version 6.6.10.4. The vulnerability, tracked as CVE-2025-7954, was discovered on August 6, 2025, and allows attackers to bypass intended voucher restrictions and exceed usage limitations (NVD).

The vulnerability stems from a non-atomic validation process in the voucher system, where multiple simultaneous checkouts can bypass the voucher usage restrictions. The vulnerability has been assigned a CVSS 4.0 score of 6.0 (MEDIUM) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/AU:N. The issue is classified as CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (NVD, GitHub Issue).

When successfully exploited, this vulnerability allows attackers to use vouchers beyond their intended usage limits. For example, one-time-use vouchers can be applied multiple times across different checkout sessions, effectively bypassing the merchant's intended restrictions (GitHub Issue).

As of the initial disclosure, no official patch has been released. The issue has been reported and is being tracked for resolution. The recommended fix would involve implementing atomic operations for voucher validation and proper synchronization mechanisms (GitHub Issue).