Cyber Resilience

CVE-2023-22731

CriticalRCE

Published: 17 January 2023

Published
17 January 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0241 85.4th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-22731 is a critical-severity Code Injection (CWE-94) vulnerability in Shopware Shopware. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 14.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Shopware, an open source e-commerce platform built on Symfony and Vue.js, contains a code injection vulnerability (CWE-94) in its Twig template processing. When the Twig Sandbox extension is not enabled, filters such as map, filter, and sort can reference arbitrary global PHP functions, allowing a template to execute unrestricted PHP code.

An attacker who already possesses access to a Twig environment—typically through administrative template-editing privileges—can invoke any PHP function to achieve remote code execution. The CVSS 9.9 score reflects the resulting impact across confidentiality, integrity, and availability in a network-exposed context.

Official advisories and the referenced GitHub security notice state that the issue is resolved in Shopware 6.4.18.1 by overriding the affected filters pending full Sandbox integration; users of versions 6.1–6.3 can obtain equivalent protection via a backported plugin. The associated commits and documentation provide the precise patch details.

EPSS for the CVE rose from low values to a recorded peak of 0.0622 before receding to the current 0.0241, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

Shopware is an open source commerce platform based on Symfony Framework and Vue js. In a Twig environment **without the Sandbox extension**, it is possible to refer to PHP functions in twig filters like `map`, `filter`, `sort`. This allows a…

more

template to call any global PHP function and thus execute arbitrary code. The attacker must have access to a Twig environment in order to exploit this vulnerability. This problem has been fixed with 6.4.18.1 with an override of the specified filters until the integration of the Sandbox extension has been finished. Users are advised to upgrade. Users of major versions 6.1, 6.2, and 6.3 may also receive this fix via a plugin.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

shopware
shopware
≤ 6.4.18.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References