GHSA-6wh5-mw9h-5c3w: 
PHP vulnerability analysis and mitigation

A path traversal vulnerability (GHSA-6wh5-mw9h-5c3w) was discovered in Shopware's plugin upload functionality, affecting versions >= 6.7.0.0, < 6.7.3.1 and < 6.6.10.7 of shopware/core and shopware/platform packages. The vulnerability was disclosed on October 21, 2025, and impacts on-premises installations of Shopware, allowing authenticated administrators with plugin upload permissions to exploit the vulnerability (GitHub Advisory).

The vulnerability stems from improper validation of file paths in uploaded plugin ZIP files. The Shopware application implements a check to prohibit files containing '..' characters, but this check was only performed from the third entry (index 2) of the uploaded ZIP file. This oversight allows the second entry (index 1) to contain path traversal characters, enabling files to be written outside the intended plugins folder. The vulnerability has been assigned a CVSS score of 2.7 (Low) with the vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N (GitHub Advisory).

Malicious actors can exploit this vulnerability to write files within arbitrary directories on the filesystem of the Shopware web container. This could potentially lead to gaining persistent shell access by uploading a PHP-shell file to an accessible folder. The vulnerability only affects on-premises installations of Shopware, as SaaS installations implement additional security checks on uploaded plugin files (GitHub Advisory).

The vulnerability has been patched in versions 6.7.3.1 and 6.6.10.7. The fix involves modifying the ExtensionExtractor to correctly check all files in ZIP archives for path traversals, similar to the validation already implemented in the AppArchiveValidator (Shopware Commit).