Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/symfony/symfony@6.3.0-RC1
Typecomposer
Namespacesymfony
Namesymfony
Version6.3.0-RC1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version6.4.33
Latest_non_vulnerable_version8.0.5
Affected_by_vulnerabilities
0
url VCID-4num-z8cg-83gt
vulnerability_id VCID-4num-z8cg-83gt
summary 
Symfony vulnerable to command execution hijack on Windows with Process class
### Description

On Windows, when an executable file named `cmd.exe` is located in the current working directory it will be called by the `Process` class when preparing command arguments, leading to possible hijacking.

### Resolution

The `Process` class now uses the absolute path to `cmd.exe`.

The patch for this issue is available [here](https://github.com/symfony/symfony/commit/18ecd03eda3917fdf901a48e72518f911c64a1c9) for branch 5.4.

### Credits

We would like to thank Jordi Boggiano for reporting the issue and Nicolas Grekas for providing the fix.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-51736
reference_id
reference_type
scores
0
value 0.00783
scoring_system epss
scoring_elements 0.73696
published_at 2026-04-02T12:55:00Z
1
value 0.00783
scoring_system epss
scoring_elements 0.73785
published_at 2026-04-18T12:55:00Z
2
value 0.00783
scoring_system epss
scoring_elements 0.73777
published_at 2026-04-16T12:55:00Z
3
value 0.00783
scoring_system epss
scoring_elements 0.73735
published_at 2026-04-13T12:55:00Z
4
value 0.00783
scoring_system epss
scoring_elements 0.73744
published_at 2026-04-12T12:55:00Z
5
value 0.00783
scoring_system epss
scoring_elements 0.73761
published_at 2026-04-11T12:55:00Z
6
value 0.00783
scoring_system epss
scoring_elements 0.7374
published_at 2026-04-09T12:55:00Z
7
value 0.00783
scoring_system epss
scoring_elements 0.73727
published_at 2026-04-08T12:55:00Z
8
value 0.00783
scoring_system epss
scoring_elements 0.73692
published_at 2026-04-07T12:55:00Z
9
value 0.00783
scoring_system epss
scoring_elements 0.7372
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-51736
1
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/process/CVE-2024-51736.yaml
reference_id
reference_type
scores
0
value 8.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/process/CVE-2024-51736.yaml
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-51736.yaml
reference_id
reference_type
scores
0
value 8.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-51736.yaml
3
reference_url https://github.com/symfony/symfony
reference_id
reference_type
scores
0
value 8.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony
4
reference_url https://github.com/symfony/symfony/commit/18ecd03eda3917fdf901a48e72518f911c64a1c9
reference_id
reference_type
scores
0
value 8.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony/commit/18ecd03eda3917fdf901a48e72518f911c64a1c9
5
reference_url https://github.com/symfony/symfony/security/advisories/GHSA-qq5c-677p-737q
reference_id
reference_type
scores
0
value 0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
1
value 8.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
4
value HIGH
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-11-21T23:20:34Z/
url https://github.com/symfony/symfony/security/advisories/GHSA-qq5c-677p-737q
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-51736
reference_id
reference_type
scores
0
value 8.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-51736
7
reference_url https://symfony.com/cve-2024-51736
reference_id
reference_type
scores
0
value 8.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://symfony.com/cve-2024-51736
8
reference_url https://github.com/advisories/GHSA-qq5c-677p-737q
reference_id GHSA-qq5c-677p-737q
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qq5c-677p-737q
fixed_packages
0
url pkg:composer/symfony/symfony@6.4.14
purl pkg:composer/symfony/symfony@6.4.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-kgu6-gj5d-7bfx
1
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.4.14
1
url pkg:composer/symfony/symfony@7.0.0-BETA1
purl pkg:composer/symfony/symfony@7.0.0-BETA1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.0.0-BETA1
2
url pkg:composer/symfony/symfony@7.1.7
purl pkg:composer/symfony/symfony@7.1.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.1.7
3
url pkg:composer/symfony/symfony@7.2.0-BETA1
purl pkg:composer/symfony/symfony@7.2.0-BETA1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.2.0-BETA1
aliases CVE-2024-51736, GHSA-qq5c-677p-737q
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4num-z8cg-83gt
1
url VCID-7hh3-16j3-4yaf
vulnerability_id VCID-7hh3-16j3-4yaf
summary 
Symfony possible session fixation vulnerability
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 5.4.21 and 6.2.7 and prior to versions 5.4.31 and 6.3.8, `SessionStrategyListener` does not migrate the session after every successful login. It does so only in case the logged in user changes by means of checking the user identifier. In some use cases, the user identifier does not change between the verification phase and the successful login, while the token itself changes from one type (partially-authenticated) to another (fully-authenticated). When this happens, the session id should be regenerated to prevent possible session fixations, which is not the case at the moment. As of versions 5.4.31 and 6.3.8, Symfony now checks the type of the token in addition to the user identifier before deciding whether the session id should be regenerated.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-46733
reference_id
reference_type
scores
0
value 0.01058
scoring_system epss
scoring_elements 0.77568
published_at 2026-04-02T12:55:00Z
1
value 0.01058
scoring_system epss
scoring_elements 0.77612
published_at 2026-04-09T12:55:00Z
2
value 0.01058
scoring_system epss
scoring_elements 0.77605
published_at 2026-04-08T12:55:00Z
3
value 0.01058
scoring_system epss
scoring_elements 0.77575
published_at 2026-04-07T12:55:00Z
4
value 0.01058
scoring_system epss
scoring_elements 0.77595
published_at 2026-04-04T12:55:00Z
5
value 0.01058
scoring_system epss
scoring_elements 0.77656
published_at 2026-04-18T12:55:00Z
6
value 0.01058
scoring_system epss
scoring_elements 0.77659
published_at 2026-04-16T12:55:00Z
7
value 0.01058
scoring_system epss
scoring_elements 0.77621
published_at 2026-04-13T12:55:00Z
8
value 0.01058
scoring_system epss
scoring_elements 0.77623
published_at 2026-04-12T12:55:00Z
9
value 0.01058
scoring_system epss
scoring_elements 0.77639
published_at 2026-04-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-46733
1
reference_url https://github.com/symfony/symfony
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony
2
reference_url https://github.com/symfony/symfony/commit/7467bd7e3f888b333102bc664b5e02ef1e7f88b9
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T15:11:06Z/
url https://github.com/symfony/symfony/commit/7467bd7e3f888b333102bc664b5e02ef1e7f88b9
3
reference_url https://github.com/symfony/symfony/commit/dc356499d5ceb86f7cf2b4c7f032eca97061ed74
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T15:11:06Z/
url https://github.com/symfony/symfony/commit/dc356499d5ceb86f7cf2b4c7f032eca97061ed74
4
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055775
reference_id 1055775
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055775
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-46733
reference_id CVE-2023-46733
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-46733
6
reference_url https://symfony.com/cve-2023-46733
reference_id CVE-2023-46733
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://symfony.com/cve-2023-46733
7
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2023-46733.yaml
reference_id CVE-2023-46733.YAML
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2023-46733.yaml
8
reference_url https://github.com/advisories/GHSA-m2wj-r6g3-fxfx
reference_id GHSA-m2wj-r6g3-fxfx
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m2wj-r6g3-fxfx
9
reference_url https://github.com/symfony/symfony/security/advisories/GHSA-m2wj-r6g3-fxfx
reference_id GHSA-m2wj-r6g3-fxfx
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T15:11:06Z/
url https://github.com/symfony/symfony/security/advisories/GHSA-m2wj-r6g3-fxfx
fixed_packages
0
url pkg:composer/symfony/symfony@6.3.8
purl pkg:composer/symfony/symfony@6.3.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-c8ar-82sr-fqej
4
vulnerability VCID-en6a-wp7q-fbfs
5
vulnerability VCID-p1dw-w76f-gbfv
6
vulnerability VCID-pdcr-fsbk-63bx
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.3.8
1
url pkg:composer/symfony/symfony@6.4.0-BETA1
purl pkg:composer/symfony/symfony@6.4.0-BETA1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-c8ar-82sr-fqej
4
vulnerability VCID-en6a-wp7q-fbfs
5
vulnerability VCID-p1dw-w76f-gbfv
6
vulnerability VCID-pdcr-fsbk-63bx
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.4.0-BETA1
aliases CVE-2023-46733, GHSA-m2wj-r6g3-fxfx
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7hh3-16j3-4yaf
2
url VCID-8kq8-2mv9-s3ad
vulnerability_id VCID-8kq8-2mv9-s3ad
summary 
Symfony allows internal address and port enumeration by NoPrivateNetworkHttpClient
### Description

When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration.

### Resolution

The `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks.

The fisrt patch for this issue is available [here](https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b) for branch 5.4.

The second one is available [here](https://github.com/symfony/symfony/commit/b4bf5afdbdcb2fd03da513ee03beeabeb551e5fa) for branch 5.4 also.

### Credits

We would like to thank Linus Karlsson and Chris Smith for reporting the issue and Nicolas Grekas for providing the fix.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-50342
reference_id
reference_type
scores
0
value 0.00361
scoring_system epss
scoring_elements 0.5821
published_at 2026-04-02T12:55:00Z
1
value 0.00361
scoring_system epss
scoring_elements 0.58281
published_at 2026-04-11T12:55:00Z
2
value 0.00361
scoring_system epss
scoring_elements 0.58264
published_at 2026-04-09T12:55:00Z
3
value 0.00361
scoring_system epss
scoring_elements 0.58259
published_at 2026-04-08T12:55:00Z
4
value 0.00361
scoring_system epss
scoring_elements 0.58205
published_at 2026-04-07T12:55:00Z
5
value 0.00361
scoring_system epss
scoring_elements 0.5823
published_at 2026-04-04T12:55:00Z
6
value 0.00361
scoring_system epss
scoring_elements 0.58257
published_at 2026-04-12T12:55:00Z
7
value 0.00502
scoring_system epss
scoring_elements 0.66079
published_at 2026-04-18T12:55:00Z
8
value 0.00502
scoring_system epss
scoring_elements 0.66065
published_at 2026-04-16T12:55:00Z
9
value 0.00502
scoring_system epss
scoring_elements 0.6603
published_at 2026-04-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-50342
1
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-client/CVE-2024-50342.yaml
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-client/CVE-2024-50342.yaml
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50342.yaml
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50342.yaml
3
reference_url https://github.com/symfony/symfony
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony
4
reference_url https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-07T15:26:26Z/
url https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b
5
reference_url https://github.com/symfony/symfony/security/advisories/GHSA-9c3x-r3wp-mgxm
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-07T15:26:26Z/
url https://github.com/symfony/symfony/security/advisories/GHSA-9c3x-r3wp-mgxm
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-50342
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-50342
7
reference_url https://symfony.com/cve-2024-50342
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://symfony.com/cve-2024-50342
8
reference_url https://github.com/advisories/GHSA-9c3x-r3wp-mgxm
reference_id GHSA-9c3x-r3wp-mgxm
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9c3x-r3wp-mgxm
9
reference_url https://usn.ubuntu.com/7272-1/
reference_id USN-7272-1
reference_type
scores
url https://usn.ubuntu.com/7272-1/
fixed_packages
0
url pkg:composer/symfony/symfony@6.4.15
purl pkg:composer/symfony/symfony@6.4.15
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-kgu6-gj5d-7bfx
1
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.4.15
1
url pkg:composer/symfony/symfony@7.0.0-BETA1
purl pkg:composer/symfony/symfony@7.0.0-BETA1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.0.0-BETA1
2
url pkg:composer/symfony/symfony@7.1.8
purl pkg:composer/symfony/symfony@7.1.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.1.8
3
url pkg:composer/symfony/symfony@7.2.0-BETA1
purl pkg:composer/symfony/symfony@7.2.0-BETA1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.2.0-BETA1
aliases CVE-2024-50342, GHSA-9c3x-r3wp-mgxm
risk_score 1.4
exploitability 0.5
weighted_severity 2.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8kq8-2mv9-s3ad
3
url VCID-9bzz-84cq-ykh2
vulnerability_id VCID-9bzz-84cq-ykh2
summary 
Symfony vulnerable to open redirect via browser-sanitized URLs
### Description

The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain.

### Resolution

The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/

The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819) for branch 5.4.

### Credits

We would like to thank Sam Mush - IPASSLab && ZGC Lab for reporting the issue and Nicolas Grekas for providing the fix.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-50345
reference_id
reference_type
scores
0
value 0.00394
scoring_system epss
scoring_elements 0.60271
published_at 2026-04-02T12:55:00Z
1
value 0.00394
scoring_system epss
scoring_elements 0.60367
published_at 2026-04-18T12:55:00Z
2
value 0.00394
scoring_system epss
scoring_elements 0.60359
published_at 2026-04-16T12:55:00Z
3
value 0.00394
scoring_system epss
scoring_elements 0.60318
published_at 2026-04-13T12:55:00Z
4
value 0.00394
scoring_system epss
scoring_elements 0.60337
published_at 2026-04-12T12:55:00Z
5
value 0.00394
scoring_system epss
scoring_elements 0.60351
published_at 2026-04-11T12:55:00Z
6
value 0.00394
scoring_system epss
scoring_elements 0.6033
published_at 2026-04-09T12:55:00Z
7
value 0.00394
scoring_system epss
scoring_elements 0.60316
published_at 2026-04-08T12:55:00Z
8
value 0.00394
scoring_system epss
scoring_elements 0.60266
published_at 2026-04-07T12:55:00Z
9
value 0.00394
scoring_system epss
scoring_elements 0.60297
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-50345
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50345
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50345
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2024-50345.yaml
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2024-50345.yaml
3
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50345.yaml
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50345.yaml
4
reference_url https://github.com/symfony/symfony
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony
5
reference_url https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819
6
reference_url https://github.com/symfony/symfony/security/advisories/GHSA-mrqx-rp3w-jpjp
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-07T15:21:57Z/
url https://github.com/symfony/symfony/security/advisories/GHSA-mrqx-rp3w-jpjp
7
reference_url https://lists.debian.org/debian-lts-announce/2025/05/msg00051.html
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/05/msg00051.html
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-50345
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-50345
9
reference_url https://symfony.com/cve-2024-50345
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://symfony.com/cve-2024-50345
10
reference_url https://url.spec.whatwg.org
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-07T15:21:57Z/
url https://url.spec.whatwg.org
11
reference_url https://github.com/advisories/GHSA-mrqx-rp3w-jpjp
reference_id GHSA-mrqx-rp3w-jpjp
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mrqx-rp3w-jpjp
12
reference_url https://usn.ubuntu.com/7272-1/
reference_id USN-7272-1
reference_type
scores
url https://usn.ubuntu.com/7272-1/
fixed_packages
0
url pkg:composer/symfony/symfony@6.4.14
purl pkg:composer/symfony/symfony@6.4.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-kgu6-gj5d-7bfx
1
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.4.14
1
url pkg:composer/symfony/symfony@7.0.0-BETA1
purl pkg:composer/symfony/symfony@7.0.0-BETA1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.0.0-BETA1
2
url pkg:composer/symfony/symfony@7.1.7
purl pkg:composer/symfony/symfony@7.1.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.1.7
3
url pkg:composer/symfony/symfony@7.2.0-BETA1
purl pkg:composer/symfony/symfony@7.2.0-BETA1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.2.0-BETA1
aliases CVE-2024-50345, GHSA-mrqx-rp3w-jpjp
risk_score 1.4
exploitability 0.5
weighted_severity 2.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9bzz-84cq-ykh2
4
url VCID-bdhj-np35-sybt
vulnerability_id VCID-bdhj-np35-sybt
summary 
Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use `is_safe=html` but don't actually ensure their input is safe. As of versions 4.4.51, 5.4.31, and 6.3.8, Symfony now escapes the output of the affected filters.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-46734
reference_id
reference_type
scores
0
value 0.02089
scoring_system epss
scoring_elements 0.83967
published_at 2026-04-02T12:55:00Z
1
value 0.02089
scoring_system epss
scoring_elements 0.84016
published_at 2026-04-09T12:55:00Z
2
value 0.02089
scoring_system epss
scoring_elements 0.8401
published_at 2026-04-08T12:55:00Z
3
value 0.02089
scoring_system epss
scoring_elements 0.83986
published_at 2026-04-07T12:55:00Z
4
value 0.02089
scoring_system epss
scoring_elements 0.83982
published_at 2026-04-04T12:55:00Z
5
value 0.02089
scoring_system epss
scoring_elements 0.84047
published_at 2026-04-18T12:55:00Z
6
value 0.02089
scoring_system epss
scoring_elements 0.84045
published_at 2026-04-16T12:55:00Z
7
value 0.02089
scoring_system epss
scoring_elements 0.84021
published_at 2026-04-13T12:55:00Z
8
value 0.02089
scoring_system epss
scoring_elements 0.84025
published_at 2026-04-12T12:55:00Z
9
value 0.02089
scoring_system epss
scoring_elements 0.84032
published_at 2026-04-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-46734
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46734
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46734
2
reference_url https://github.com/symfony/symfony
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony
3
reference_url https://github.com/symfony/symfony/commit/5d095d5feb1322b16450284a04d6bb48d1198f54
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T15:11:26Z/
url https://github.com/symfony/symfony/commit/5d095d5feb1322b16450284a04d6bb48d1198f54
4
reference_url https://github.com/symfony/symfony/commit/9da9a145ce57e4585031ad4bee37c497353eec7c
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T15:11:26Z/
url https://github.com/symfony/symfony/commit/9da9a145ce57e4585031ad4bee37c497353eec7c
5
reference_url https://lists.debian.org/debian-lts-announce/2023/11/msg00019.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T15:11:26Z/
url https://lists.debian.org/debian-lts-announce/2023/11/msg00019.html
6
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055774
reference_id 1055774
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055774
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-46734
reference_id CVE-2023-46734
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-46734
8
reference_url https://symfony.com/cve-2023-46734
reference_id CVE-2023-46734
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://symfony.com/cve-2023-46734
9
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2023-46734.yaml
reference_id CVE-2023-46734.YAML
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2023-46734.yaml
10
reference_url https://github.com/advisories/GHSA-q847-2q57-wmr3
reference_id GHSA-q847-2q57-wmr3
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-q847-2q57-wmr3
11
reference_url https://github.com/symfony/symfony/security/advisories/GHSA-q847-2q57-wmr3
reference_id GHSA-q847-2q57-wmr3
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T15:11:26Z/
url https://github.com/symfony/symfony/security/advisories/GHSA-q847-2q57-wmr3
12
reference_url https://usn.ubuntu.com/7272-1/
reference_id USN-7272-1
reference_type
scores
url https://usn.ubuntu.com/7272-1/
fixed_packages
0
url pkg:composer/symfony/symfony@6.3.8
purl pkg:composer/symfony/symfony@6.3.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-c8ar-82sr-fqej
4
vulnerability VCID-en6a-wp7q-fbfs
5
vulnerability VCID-p1dw-w76f-gbfv
6
vulnerability VCID-pdcr-fsbk-63bx
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.3.8
1
url pkg:composer/symfony/symfony@6.4.0-BETA1
purl pkg:composer/symfony/symfony@6.4.0-BETA1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-c8ar-82sr-fqej
4
vulnerability VCID-en6a-wp7q-fbfs
5
vulnerability VCID-p1dw-w76f-gbfv
6
vulnerability VCID-pdcr-fsbk-63bx
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.4.0-BETA1
aliases CVE-2023-46734, GHSA-q847-2q57-wmr3
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bdhj-np35-sybt
5
url VCID-c8ar-82sr-fqej
vulnerability_id VCID-c8ar-82sr-fqej
summary 
Symfony has an incorrect response from Validator when input ends with `\n`
### Description

It is possible to trick a `Validator` configured with a regular expression using the `$` metacharacters, with an input ending with `\n`.

### Resolution

Symfony now uses the `D` regex modifier to match the entire input.

The patch for this issue is available [here](https://github.com/symfony/symfony/commit/7d1032bbead9a4229b32fa6ebca32681c80cb76f) for branch 5.4.

### Credits

We would like to thank Offscript for reporting the issue and Alexandre Daubois for providing the fix.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-50343
reference_id
reference_type
scores
0
value 0.00246
scoring_system epss
scoring_elements 0.47872
published_at 2026-04-04T12:55:00Z
1
value 0.00246
scoring_system epss
scoring_elements 0.47929
published_at 2026-04-18T12:55:00Z
2
value 0.00246
scoring_system epss
scoring_elements 0.47934
published_at 2026-04-16T12:55:00Z
3
value 0.00246
scoring_system epss
scoring_elements 0.4788
published_at 2026-04-13T12:55:00Z
4
value 0.00246
scoring_system epss
scoring_elements 0.47871
published_at 2026-04-12T12:55:00Z
5
value 0.00246
scoring_system epss
scoring_elements 0.47893
published_at 2026-04-11T12:55:00Z
6
value 0.00246
scoring_system epss
scoring_elements 0.47869
published_at 2026-04-09T12:55:00Z
7
value 0.00246
scoring_system epss
scoring_elements 0.47874
published_at 2026-04-08T12:55:00Z
8
value 0.00246
scoring_system epss
scoring_elements 0.47821
published_at 2026-04-07T12:55:00Z
9
value 0.00246
scoring_system epss
scoring_elements 0.4785
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-50343
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50343
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50343
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50343.yaml
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50343.yaml
3
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/validator/CVE-2024-50343.yaml
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/validator/CVE-2024-50343.yaml
4
reference_url https://github.com/symfony/symfony
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony
5
reference_url https://github.com/symfony/symfony/commit/7d1032bbead9a4229b32fa6ebca32681c80cb76f
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-07T15:25:47Z/
url https://github.com/symfony/symfony/commit/7d1032bbead9a4229b32fa6ebca32681c80cb76f
6
reference_url https://github.com/symfony/symfony/security/advisories/GHSA-g3rh-rrhp-jhh9
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-07T15:25:47Z/
url https://github.com/symfony/symfony/security/advisories/GHSA-g3rh-rrhp-jhh9
7
reference_url https://lists.debian.org/debian-lts-announce/2025/05/msg00051.html
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/05/msg00051.html
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-50343
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-50343
9
reference_url https://symfony.com/cve-2024-50343
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://symfony.com/cve-2024-50343
10
reference_url https://github.com/advisories/GHSA-g3rh-rrhp-jhh9
reference_id GHSA-g3rh-rrhp-jhh9
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-g3rh-rrhp-jhh9
11
reference_url https://usn.ubuntu.com/7272-1/
reference_id USN-7272-1
reference_type
scores
url https://usn.ubuntu.com/7272-1/
fixed_packages
0
url pkg:composer/symfony/symfony@6.4.11
purl pkg:composer/symfony/symfony@6.4.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-en6a-wp7q-fbfs
4
vulnerability VCID-kgu6-gj5d-7bfx
5
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.4.11
1
url pkg:composer/symfony/symfony@7.1.4
purl pkg:composer/symfony/symfony@7.1.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-en6a-wp7q-fbfs
4
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.1.4
aliases CVE-2024-50343, GHSA-g3rh-rrhp-jhh9
risk_score 1.4
exploitability 0.5
weighted_severity 2.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-c8ar-82sr-fqej
6
url VCID-en6a-wp7q-fbfs
vulnerability_id VCID-en6a-wp7q-fbfs
summary 
Symfony allows changing the environment through a query
### Description

When the `register_argc_argv` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request.

### Resolution

The `SymfonyRuntime` now ignores the `argv` values for non-cli SAPIs PHP runtimes

The patch for this issue is available [here](https://github.com/symfony/symfony/commit/a77b308c3f179ed7c8a8bc295f82b2d6ee3493fa) for branch 5.4.

### Credits

We would like to thank Vladimir Dusheyko for reporting the issue and Wouter de Jong for providing the fix.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-50340
reference_id
reference_type
scores
0
value 0.85618
scoring_system epss
scoring_elements 0.99368
published_at 2026-04-02T12:55:00Z
1
value 0.85618
scoring_system epss
scoring_elements 0.99376
published_at 2026-04-18T12:55:00Z
2
value 0.85618
scoring_system epss
scoring_elements 0.99375
published_at 2026-04-12T12:55:00Z
3
value 0.85618
scoring_system epss
scoring_elements 0.99374
published_at 2026-04-13T12:55:00Z
4
value 0.85618
scoring_system epss
scoring_elements 0.99373
published_at 2026-04-09T12:55:00Z
5
value 0.85618
scoring_system epss
scoring_elements 0.99372
published_at 2026-04-08T12:55:00Z
6
value 0.85618
scoring_system epss
scoring_elements 0.99371
published_at 2026-04-07T12:55:00Z
7
value 0.85618
scoring_system epss
scoring_elements 0.9937
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-50340
1
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/runtime/CVE-2024-50340.yaml
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/runtime/CVE-2024-50340.yaml
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50340.yaml
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50340.yaml
3
reference_url https://github.com/symfony/symfony
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony
4
reference_url https://github.com/symfony/symfony/commit/a77b308c3f179ed7c8a8bc295f82b2d6ee3493fa
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-07T15:27:34Z/
url https://github.com/symfony/symfony/commit/a77b308c3f179ed7c8a8bc295f82b2d6ee3493fa
5
reference_url https://github.com/symfony/symfony/security/advisories/GHSA-x8vp-gf4q-mw5j
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-07T15:27:34Z/
url https://github.com/symfony/symfony/security/advisories/GHSA-x8vp-gf4q-mw5j
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-50340
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-50340
7
reference_url https://symfony.com/cve-2024-50340
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://symfony.com/cve-2024-50340
8
reference_url https://github.com/advisories/GHSA-x8vp-gf4q-mw5j
reference_id GHSA-x8vp-gf4q-mw5j
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-x8vp-gf4q-mw5j
9
reference_url https://usn.ubuntu.com/7272-1/
reference_id USN-7272-1
reference_type
scores
url https://usn.ubuntu.com/7272-1/
fixed_packages
0
url pkg:composer/symfony/symfony@6.4.14
purl pkg:composer/symfony/symfony@6.4.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-kgu6-gj5d-7bfx
1
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.4.14
1
url pkg:composer/symfony/symfony@7.0.0-BETA1
purl pkg:composer/symfony/symfony@7.0.0-BETA1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.0.0-BETA1
2
url pkg:composer/symfony/symfony@7.1.7
purl pkg:composer/symfony/symfony@7.1.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.1.7
3
url pkg:composer/symfony/symfony@7.2.0-BETA1
purl pkg:composer/symfony/symfony@7.2.0-BETA1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.2.0-BETA1
aliases CVE-2024-50340, GHSA-x8vp-gf4q-mw5j
risk_score 10.0
exploitability 2.0
weighted_severity 6.6
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-en6a-wp7q-fbfs
7
url VCID-p1dw-w76f-gbfv
vulnerability_id VCID-p1dw-w76f-gbfv
summary 
Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass
The `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-64500
reference_id
reference_type
scores
0
value 0.00047
scoring_system epss
scoring_elements 0.14662
published_at 2026-04-02T12:55:00Z
1
value 0.01842
scoring_system epss
scoring_elements 0.82999
published_at 2026-04-18T12:55:00Z
2
value 0.0197
scoring_system epss
scoring_elements 0.83544
published_at 2026-04-11T12:55:00Z
3
value 0.0197
scoring_system epss
scoring_elements 0.83538
published_at 2026-04-12T12:55:00Z
4
value 0.02482
scoring_system epss
scoring_elements 0.85295
published_at 2026-04-13T12:55:00Z
5
value 0.03928
scoring_system epss
scoring_elements 0.88321
published_at 2026-04-09T12:55:00Z
6
value 0.03928
scoring_system epss
scoring_elements 0.88316
published_at 2026-04-08T12:55:00Z
7
value 0.03928
scoring_system epss
scoring_elements 0.88296
published_at 2026-04-07T12:55:00Z
8
value 0.03928
scoring_system epss
scoring_elements 0.88291
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-64500
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64500
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64500
2
reference_url https://github.com/symfony/symfony
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony
3
reference_url https://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-13T16:50:43Z/
url https://github.com/symfony/symfony/commit/9962b91b12bb791322fa73836b350836b6db7cac
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-64500
reference_id CVE-2025-64500
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-64500
5
reference_url https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass
reference_id CVE-2025-64500-INCORRECT-PARSING-OF-PATH-INFO-CAN-LEAD-TO-LIMITED-AUTHORIZATION-BYPASS
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-13T16:50:43Z/
url https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass
6
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2025-64500.yaml
reference_id CVE-2025-64500.YAML
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-13T16:50:43Z/
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2025-64500.yaml
7
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2025-64500.yaml
reference_id CVE-2025-64500.YAML
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-13T16:50:43Z/
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2025-64500.yaml
8
reference_url https://github.com/advisories/GHSA-3rg7-wf37-54rm
reference_id GHSA-3rg7-wf37-54rm
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3rg7-wf37-54rm
9
reference_url https://github.com/symfony/symfony/security/advisories/GHSA-3rg7-wf37-54rm
reference_id GHSA-3rg7-wf37-54rm
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-13T16:50:43Z/
url https://github.com/symfony/symfony/security/advisories/GHSA-3rg7-wf37-54rm
fixed_packages
0
url pkg:composer/symfony/symfony@6.4.29
purl pkg:composer/symfony/symfony@6.4.29
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-kgu6-gj5d-7bfx
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.4.29
1
url pkg:composer/symfony/symfony@7.0.0-BETA1
purl pkg:composer/symfony/symfony@7.0.0-BETA1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.0.0-BETA1
2
url pkg:composer/symfony/symfony@7.3.7
purl pkg:composer/symfony/symfony@7.3.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-kgu6-gj5d-7bfx
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.3.7
3
url pkg:composer/symfony/symfony@7.4.0-BETA1
purl pkg:composer/symfony/symfony@7.4.0-BETA1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.4.0-BETA1
aliases CVE-2025-64500, GHSA-3rg7-wf37-54rm
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-p1dw-w76f-gbfv
8
url VCID-pdcr-fsbk-63bx
vulnerability_id VCID-pdcr-fsbk-63bx
summary 
Symfony's `Security::login` does not take into account custom `user_checker`
### Description

The custom `user_checker` defined on a firewall is not called when Login Programmaticaly with the `Security::login` method, leading to  unwanted login.

### Resolution

The `Security::login` method now ensure to call the configured `user_checker`.

The patch for this issue is available [here](https://github.com/symfony/symfony/commit/22a0789a0085c3ee96f4ef715ecad8255cf0e105) for branch 6.4.

### Credits

We would like to thank Oleg Andreyev, Antoine MAKDESSI for reporting the issue and Christian Flothmann for providing the fix.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-50341
reference_id
reference_type
scores
0
value 0.00145
scoring_system epss
scoring_elements 0.34984
published_at 2026-04-02T12:55:00Z
1
value 0.00145
scoring_system epss
scoring_elements 0.3493
published_at 2026-04-18T12:55:00Z
2
value 0.00145
scoring_system epss
scoring_elements 0.34947
published_at 2026-04-16T12:55:00Z
3
value 0.00145
scoring_system epss
scoring_elements 0.34909
published_at 2026-04-13T12:55:00Z
4
value 0.00145
scoring_system epss
scoring_elements 0.34932
published_at 2026-04-12T12:55:00Z
5
value 0.00145
scoring_system epss
scoring_elements 0.34968
published_at 2026-04-11T12:55:00Z
6
value 0.00145
scoring_system epss
scoring_elements 0.34964
published_at 2026-04-09T12:55:00Z
7
value 0.00145
scoring_system epss
scoring_elements 0.34935
published_at 2026-04-08T12:55:00Z
8
value 0.00145
scoring_system epss
scoring_elements 0.3489
published_at 2026-04-07T12:55:00Z
9
value 0.00145
scoring_system epss
scoring_elements 0.3501
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-50341
1
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-bundle/CVE-2024-50341.yaml
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-bundle/CVE-2024-50341.yaml
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50341.yaml
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50341.yaml
3
reference_url https://github.com/symfony/symfony
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony
4
reference_url https://github.com/symfony/symfony/commit/22a0789a0085c3ee96f4ef715ecad8255cf0e105
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-07T15:26:59Z/
url https://github.com/symfony/symfony/commit/22a0789a0085c3ee96f4ef715ecad8255cf0e105
5
reference_url https://github.com/symfony/symfony/security/advisories/GHSA-jxgr-3v7q-3w9v
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-07T15:26:59Z/
url https://github.com/symfony/symfony/security/advisories/GHSA-jxgr-3v7q-3w9v
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-50341
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-50341
7
reference_url https://symfony.com/cve-2024-50341
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://symfony.com/cve-2024-50341
8
reference_url https://github.com/advisories/GHSA-jxgr-3v7q-3w9v
reference_id GHSA-jxgr-3v7q-3w9v
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jxgr-3v7q-3w9v
9
reference_url https://usn.ubuntu.com/7272-1/
reference_id USN-7272-1
reference_type
scores
url https://usn.ubuntu.com/7272-1/
fixed_packages
0
url pkg:composer/symfony/symfony@6.4.10
purl pkg:composer/symfony/symfony@6.4.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-c8ar-82sr-fqej
4
vulnerability VCID-en6a-wp7q-fbfs
5
vulnerability VCID-kgu6-gj5d-7bfx
6
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.4.10
1
url pkg:composer/symfony/symfony@7.0.10
purl pkg:composer/symfony/symfony@7.0.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-c8ar-82sr-fqej
4
vulnerability VCID-en6a-wp7q-fbfs
5
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.0.10
2
url pkg:composer/symfony/symfony@7.1.3
purl pkg:composer/symfony/symfony@7.1.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-c8ar-82sr-fqej
4
vulnerability VCID-en6a-wp7q-fbfs
5
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@7.1.3
aliases CVE-2024-50341, GHSA-jxgr-3v7q-3w9v
risk_score 1.4
exploitability 0.5
weighted_severity 2.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pdcr-fsbk-63bx
Fixing_vulnerabilities
Risk_score10.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@6.3.0-RC1