Authenticated server-side request forgery in file upload via URL.
Description
Versions prior to 6.4.3.1 contain an authenticated server-side request forgery vulnerability in file upload via URL. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Shopware 6 prior to 6.4.3.1 allows authenticated SSRF via file upload by URL; patched in 6.4.3.1 with plugin workarounds for older versions.
Vulnerability
Shopware 6 versions prior to 6.4.3.1 contain an authenticated server-side request forgery (SSRF) vulnerability in the file upload via URL functionality. The flaw exists because the FileUrlValidator component fails to properly block internal or reserved IPv4/IPv6 addresses (e.g., 127.0.0.1, FE80::, FC00::) when validating a user-supplied URL for file upload [1][3]. Versions 6.1.x, 6.2.x, and 6.3.x are also affected [1][4].
Exploitation
An attacker must be authenticated to the Shopware instance. They can then use the file upload via URL feature, providing a URL pointing to an internal or loopback address (e.g., https://127.0.0.1/sensitive-data). The application's file URL validation, as shown in the commit b9f330e, does not reject such addresses in the older code [3]. The attacker can submit the crafted URL, causing the server to fetch from that internal resource [4].
Impact
Successful exploitation allows the attacker to perform SSRF, enabling them to access internal network resources, read metadata or files from internal services, or perform port scanning of the internal network from the Shopware server [1][4]. The impact is limited to the server's network context, but may expose sensitive internal endpoints.
Mitigation
The vulnerability is patched in Shopware version 6.4.3.1, released August 2021; users should update via Auto-Updater or direct download [1][4]. For older versions 6.1, 6.2, and 6.3 that cannot be immediately updated, a security plugin providing equivalent protective measures is available from the Shopware store [4]. No other workarounds are documented.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
shopware/platformPackagist | < 6.4.3.1 | 6.4.3.1 |
shopware/corePackagist | < 6.4.3.1 | 6.4.3.1 |
Affected products
3- ghsa-coords2 versions
< 6.4.3.1+ 1 more
- (no CPE)range: < 6.4.3.1
- (no CPE)range: < 6.4.3.1
- shopware/platformv5Range: <= 6.4.3.0
Patches
1b9f330e652b7NEXT-15673 - Fix file upload ip validation for IPv6
2 files changed · +63 −0
src/Core/Content/Media/File/FileUrlValidator.php+26 −0 modified@@ -17,6 +17,11 @@ public function isValid(string $source): bool // Potentially IPv6 $ip = trim($ip, '[]'); + return $this->validateIp($ip); + } + + private function validateIp(string $ip): bool + { $ip = filter_var( $ip, \FILTER_VALIDATE_IP, @@ -27,6 +32,27 @@ public function isValid(string $source): bool return false; } + if (!filter_var($ip, \FILTER_VALIDATE_IP, \FILTER_FLAG_IPV6)) { + return true; + } + + // Convert IPv6 to packed format and back so we can check if there is a IPv4 representation of the IP + $packedIp = inet_pton($ip); + if (!$packedIp) { + return false; + } + $convertedIp = inet_ntop($packedIp); + if (!$convertedIp) { + return false; + } + $convertedIp = explode(':', $convertedIp); + $ipv4 = array_pop($convertedIp); + + // Additionally filter IPv4 representation of the IP + if (filter_var($ipv4, \FILTER_VALIDATE_IP, \FILTER_FLAG_IPV4)) { + return $this->validateIp($ipv4); + } + return true; } }
src/Core/Content/Test/Media/File/FileUrlValidatorTest.php+37 −0 added@@ -0,0 +1,37 @@ +<?php declare(strict_types=1); + +namespace Shopware\Core\Content\Test\Media\File; + +use PHPUnit\Framework\TestCase; +use Shopware\Core\Content\Media\File\FileUrlValidator; + +class FileUrlValidatorTest extends TestCase +{ + /** + * @dataProvider fileSourceProvider + */ + public function testIsValid(string $source, bool $expectedResult): void + { + $validator = new FileUrlValidator(); + + static::assertEquals($expectedResult, $validator->isValid($source)); + } + + public function fileSourceProvider(): array + { + return [ + 'reserved IPv4' => ['https://127.0.0.1', false], + 'converted reserved IPv4' => ['https://0:0:0:0:0:FFFF:7F00:0001', false], + 'reserved IPv4 mapped to IPv6' => ['https://[0:0:0:0:0:FFFF:127.0.0.1]', false], + 'reserved IPv6' => ['https://FE80::', false], + 'private IPv4' => ['https://192.168.0.0', false], + 'converted private IPv4' => ['https://0:0:0:0:0:FFFF:C0A8:0000', false], + 'private IPv4 mapped to IPv6' => ['https://[0:0:0:0:0:FFFF:192.168.0.0]', false], + 'private IPv6' => ['https://FC00::', false], + 'invalid IPv4' => ['https://378.0.0.1', false], + 'valid IPv4' => ['https://8.8.8.8', true], + 'valid IPv6' => ['https://2001:db8::8a2e:370:7334', true], + 'valid IPv6 URL' => ['https://[2001:db8::8a2e:370:7334]', true], + ]; + } +}
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-gcvv-gq92-x94rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-37711ghsaADVISORY
- github.com/shopware/platform/commit/b9f330e652b743dd2374c02bbe68f28b59a3f502ghsax_refsource_MISCWEB
- github.com/shopware/platform/security/advisories/GHSA-gcvv-gq92-x94rghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.