Powered by

# P009C

Varnish Session Hijack Fix

# Description

Shopware has communicated a vulnerability in their Varnish config that allows for user session hijacking. They also communicated that this only effects shops that use Varnish as a reverse proxy and have Shopware 6.7.0 or higher installed.

# Impact

There is no downtime expected from this change, but varnish cache will be cleared since a full restart is required to both clear any poisoned cache and to update the config.

# Changes

Shopware stated that the fix was to delete one line in your Varnish config file. They also linked a commit that communicates this change and can be found here.

     if (beresp.http.Surrogate-Control ~ "ESI/1.0") {
         unset beresp.http.Surrogate-Control;
         set beresp.do_esi = true;
-        return (deliver);
     }

# If You Accept

Your varnish config will be updated and your store will no longer be vulnerable to this specific attack. Additionally, your Varnish cache will be cleared to ensure that any poisoned cache is removed.

# If You Reject

Your store will remain vulnerable to user session hijacking.

© Copyright 2025. All rights reserved.