VulnerableCode Package Details - pkg:composer/symfony/http-client@4.4.9

Search for packages

Vulnerability	Summary	Fixed by
VCID-8kq8-2mv9-s3ad Aliases: CVE-2024-50342 GHSA-9c3x-r3wp-mgxm	Symfony allows internal address and port enumeration by NoPrivateNetworkHttpClient ### Description When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. ### Resolution The `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks. The fisrt patch for this issue is available [here](https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b) for branch 5.4. The second one is available [here](https://github.com/symfony/symfony/commit/b4bf5afdbdcb2fd03da513ee03beeabeb551e5fa) for branch 5.4 also. ### Credits We would like to thank Linus Karlsson and Chris Smith for reporting the issue and Nicolas Grekas for providing the fix.	5.4.47 Affected by 0 other vulnerabilities. 6.0.0-BETA1 Affected by 0 other vulnerabilities. 6.4.15 Affected by 0 other vulnerabilities. 7.0.0-BETA1 Affected by 0 other vulnerabilities. 7.1.8 Affected by 0 other vulnerabilities. 7.2.0-BETA1 Affected by 0 other vulnerabilities.
VCID-txk7-krb1-bqd9 Aliases: CVE-2020-15094 GHSA-754h-5r27-7x3r	RCE in Symfony Description ----------- The `CachingHttpClient` class from the HttpClient Symfony component relies on the `HttpCache` class to handle requests. `HttpCache` uses internal headers like `X-Body-Eval` and `X-Body-File` to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by `CachingHttpClient` and if an attacker can control the response for a request being made by the `CachingHttpClient`, remote code execution is possible. Resolution ---------- HTTP headers designed for internal use in `HttpCache` are now stripped from remote responses before being passed to `HttpCache`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78) for the 4.4 branch. Credits ------- I would like to thank Matthias Pigulla (webfactory GmbH) for reporting and fixing the issue.	4.4.13 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 5.0.0-BETA1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 5.1.5 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 5.2.0-RC1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-8kq8-2mv9-s3ad
Aliases:
CVE-2024-50342
GHSA-9c3x-r3wp-mgxm

Symfony allows internal address and port enumeration by NoPrivateNetworkHttpClient ### Description When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. ### Resolution The `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks. The fisrt patch for this issue is available [here](https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b) for branch 5.4. The second one is available [here](https://github.com/symfony/symfony/commit/b4bf5afdbdcb2fd03da513ee03beeabeb551e5fa) for branch 5.4 also. ### Credits We would like to thank Linus Karlsson and Chris Smith for reporting the issue and Nicolas Grekas for providing the fix.

5.4.47
Affected by 0 other vulnerabilities.

6.0.0-BETA1
Affected by 0 other vulnerabilities.

6.4.15
Affected by 0 other vulnerabilities.

7.0.0-BETA1
Affected by 0 other vulnerabilities.

7.1.8
Affected by 0 other vulnerabilities.

7.2.0-BETA1
Affected by 0 other vulnerabilities.

VCID-txk7-krb1-bqd9
Aliases:
CVE-2020-15094
GHSA-754h-5r27-7x3r

RCE in Symfony Description ----------- The `CachingHttpClient` class from the HttpClient Symfony component relies on the `HttpCache` class to handle requests. `HttpCache` uses internal headers like `X-Body-Eval` and `X-Body-File` to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by `CachingHttpClient` and if an attacker can control the response for a request being made by the `CachingHttpClient`, remote code execution is possible. Resolution ---------- HTTP headers designed for internal use in `HttpCache` are now stripped from remote responses before being passed to `HttpCache`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78) for the 4.4 branch. Credits ------- I would like to thank Matthias Pigulla (webfactory GmbH) for reporting and fixing the issue.

4.4.13
Affected by 1 other vulnerability.

5.0.0-BETA1
Affected by 1 other vulnerability.

5.1.5
Affected by 1 other vulnerability.

5.2.0-RC1
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T23:13:19.811557+00:00	GitLab Importer	Affected by	VCID-8kq8-2mv9-s3ad	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-client/CVE-2024-50342.yml	38.4.0
2026-04-16T21:07:47.150913+00:00	GitLab Importer	Affected by	VCID-txk7-krb1-bqd9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-client/CVE-2020-15094.yml	38.4.0
2026-04-12T00:31:49.665423+00:00	GitLab Importer	Affected by	VCID-8kq8-2mv9-s3ad	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-client/CVE-2024-50342.yml	38.3.0
2026-04-11T22:19:27.508066+00:00	GitLab Importer	Affected by	VCID-txk7-krb1-bqd9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-client/CVE-2020-15094.yml	38.3.0
2026-04-03T00:39:33.230917+00:00	GitLab Importer	Affected by	VCID-8kq8-2mv9-s3ad	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-client/CVE-2024-50342.yml	38.1.0
2026-04-02T22:31:27.149745+00:00	GitLab Importer	Affected by	VCID-txk7-krb1-bqd9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-client/CVE-2020-15094.yml	38.1.0
2026-04-01T16:49:29.724381+00:00	GitLab Importer	Affected by	VCID-txk7-krb1-bqd9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-client/CVE-2020-15094.yml	38.0.0