GMS-2021-56: Exposure of .env if project root is configured as web root in shopware/production

April 13, 2021 (updated June 8, 2026)

The .env and other sensitive files can be leaked if the project root and not /public is configured as the web root.

References

github.com/advisories/GHSA-3pcr-4982-548m
github.com/shopware/platform/security/advisories/GHSA-3pcr-4982-548m
github.com/shopware/shopware/security/advisories/GHSA-3pcr-4982-548m

Code Behaviors & Features

Detect and mitigate GMS-2021-56 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →