Security is an ongoing commitment; sometimes, despite our best efforts, vulnerabilities slip through the cracks. Over the past weeks we received several independent security reports concerning different areas of the platform. Rather than addressing each report in isolation, we used it as an opportunity to conduct a broader audit of the surrounding code – leveraging AI-assisted analysis to systematically scan for similar patterns across the codebase. This deeper investigation allowed us to uncover additional vulnerability instances that would have been easy to miss in a manual review. What started as a handful of reported issues grew into seven distinct advisories. Additionally, we extended the fixes for three previously disclosed vulnerabilities (CVE-2024-29376, CVE-2024-34349, CVE-2024-40633) to cover versions 1.9 through 1.11, which were not included in the original patches.
If you are using Sylius in versions below 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, or 2.2.3, we strongly urge you to update immediately. These vulnerabilities range from open redirects and XSS to authorization bypasses and race conditions that could lead to financial losses for merchants.
Keeping your store secure is our top priority, and we appreciate your trust and vigilance in maintaining a safe eCommerce environment. Below, we outline the details of each issue, its impact, and the necessary steps to protect your business.
The original security advisory has been published on GitHub at Sylius/Sylius repository.
CurrencySwitchController, ImpersonateUserController and StorageBasedLocaleSwitcher use the HTTP Referer header directly when redirecting. An attacker can place a link to the store’s currency or locale switch endpoint on a malicious page. When the victim clicks it, the browser sends the attacker’s site as the Referer, and the application redirects back to it – enabling phishing and credential theft from a trusted domain. Public endpoints require no authentication and are trivially exploitable, while admin-only endpoints require an authenticated session.
The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.
If an immediate upgrade is not possible, copy the affected classes from vendor to your project’s src/ directory, apply the fix, and override the service definitions. See the full workaround in the advisory.
The original security advisory has been published on GitHub at Sylius/Sylius repository.
This issue exists in all Sylius versions before 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, and 2.2.3 that use the API v2.
Sylius API filters ProductPriceOrderFilter and TranslationOrderNameAndLocaleFilter pass user-supplied order direction values directly to Doctrine’s orderBy() without validation, allowing injection of arbitrary DQL expressions through sorting parameters. This compromises the integrity of database queries.
The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.
If an immediate upgrade is not possible, add an EventSubscriber that sanitizes order query parameters on API routes before they reach the vulnerable filters. See the full workaround in the advisory.
The original security advisory has been published on GitHub at Sylius/Sylius repository.
This issue exists in all Sylius versions before 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, and 2.2.3 that use promotions or coupons with usage limits.
A Time-of-Check To Time-of-Use (TOCTOU) race condition exists in the promotion usage limit enforcement, affecting the global promotion counter, the global coupon counter, and the per-customer coupon limit. The eligibility check reads the counter from memory while the increment happens later during order completion with no locking between the two phases. An attacker can prepare multiple carts with the same limited-use promotion and fire simultaneous completion requests, redeeming a single-use coupon an arbitrary number of times. This may lead to direct financial losses for merchants.
The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.
If an immediate upgrade is not possible, decorate the OrderPromotionsUsageModifier service to use atomic database operations. See the full workaround in the advisory.
The original security advisory has been published on GitHub at Sylius/Sylius repository.
There is a possibility to save XSS code in the Province field in the Checkout and Address Book and then execute it on these pages. The problem occurs when opening the address step page in the checkout or editing the address in the address book. This only affects the base UI Shop provided by Sylius.
The issue is now additionally fixed in versions: 1.9.12, 1.10.16, 1.11.17 (previously fixed in 1.12.16 and above).
If an immediate upgrade is not possible, override the affected templates to escape province names. See the full workaround in the advisory.
The original security advisory has been published on GitHub at Sylius/Sylius repository.
There is a possibility to execute JavaScript code in the Admin Panel by injecting a script into the Name field of Taxons, Products, Product Options, or Product Variants. The code executes when using autocomplete fields with one of the listed entities in the Admin Panel, and also in the taxon category tree on the product form.
The issue is now additionally fixed in versions: 1.9.12, 1.10.16, 1.11.17 (previously fixed in 1.12.16 and above).
If an immediate upgrade is not possible, override the affected templates and JavaScript to escape entity names in autocomplete fields. See the full workaround in the advisory.
The original security advisory has been published on GitHub at Sylius/Sylius repository.
A security vulnerability exists in the /api/v2/shop/adjustments/{id} endpoint, which retrieves order adjustments based on incremental integer IDs. An attacker can enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details and sensitive guest customer information.
The issue is now additionally fixed in versions: 1.9.12, 1.10.16, 1.11.17 (previously fixed in 1.12.19 and above). The /api/v2/shop/adjustments/{id} will always return 404 status.
If an immediate upgrade is not possible, override the shop_get operation for the Adjustment resource to return a 404 response. See the full workaround in the advisory.
The original security advisory has been published on GitHub at Sylius/Sylius repository.
An Insecure Direct Object Reference (IDOR) vulnerability exists in multiple shop LiveComponents. The checkout address FormComponent, cart WidgetComponent and cart SummaryComponent accept user-controlled resource IDs via #[LiveArg] parameters and load entities with ->find() without ownership validation. An attacker can enumerate addresses and orders belonging to other users, exposing personal data (name, phone, address), order totals, item counts, discounts, shipping costs, and tax breakdowns. Since active carts and completed orders share the same ID space, all orders are affected.
The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.
If an immediate upgrade is not possible, override vulnerable LiveComponent classes at the project level to add authorization checks. See the full workaround in the advisory.
The original security advisory has been published on GitHub at Sylius/Sylius repository.
The POST /api/v2/shop/orders/{tokenValue}/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers’ carts by knowing the cart tokenValue. The endpoint response leaks sensitive data including customer email, cart contents, address data, payment and shipment IDs, order totals, and checkout state.
The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.
If an immediate upgrade is not possible, add an ownership check in AddItemToCartHandler by injecting UserContextInterface and verifying the current user matches the cart owner. See the full workaround in the advisory.
The original security advisory has been published on GitHub at Sylius/Sylius repository.
When a login attempt fails, AuthenticationFailureHandler returns a JSON response whose message field is rendered into the DOM using innerHTML, allowing any HTML or JavaScript in that value to be executed by the browser. In the default installation the message is hardcoded, but the risk escalates with customized authentication handlers, untrusted translation sources, or Man-in-the-Middle interception – potentially leading to session hijacking, credential theft, or cart manipulation.
The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.
If an immediate upgrade is not possible, override the vulnerable JavaScript controller at the project level, replacing innerHTML with textContent. See the full workaround in the advisory.
The original security advisory has been published on GitHub at Sylius/Sylius repository.
An authenticated stored XSS vulnerability exists in multiple places across the shop frontend and admin panel. Shop breadcrumbs use the Twig |raw filter on label values, the admin product taxon picker interpolates names directly into HTML, and admin autocomplete fields render entity names without escaping. An administrator can inject arbitrary JavaScript via entity names (e.g. taxon name) that is persistently executed for every visitor on both the storefront and admin panel.
The issue is fixed in versions: 2.0.16, 2.1.12, 2.2.3 and above.
If an immediate upgrade is not possible, override vulnerable templates and JavaScript controllers at the project level. See the full workaround in the advisory.
Keeping your store secure is crucial – please update your Sylius installation and inform your peers in the community about these fixes to ensure a safer environment for all.
We would like to thank everyone who participated in responsible disclosure of these vulnerabilities. If you believe you have found a security vulnerability in Sylius, please do not post it publicly. Instead, report it to [email protected].
