Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/symfony/http-foundation@2.7.12
purl pkg:composer/symfony/http-foundation@2.7.12
Next non-vulnerable version 5.4.50
Latest non-vulnerable version 7.3.7
Risk 4.5
Vulnerabilities affecting this package (6)
Vulnerability Summary Fixed by
VCID-2hua-7wbd-tqbx
Aliases:
CVE-2018-11386
GHSA-r2rq-3h56-fqm4
Insufficient Session Expiration The `PDOSessionHandler` class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources.
2.7.48
Affected by 6 other vulnerabilities.
2.8.41
Affected by 6 other vulnerabilities.
3.3.17
Affected by 7 other vulnerabilities.
3.4.11
Affected by 6 other vulnerabilities.
4.0.11
Affected by 6 other vulnerabilities.
VCID-3uu1-kftu-nbhd
Aliases:
CVE-2019-10913
GHSA-x92h-wmg2-6hp7
SQL Injection In Symfony HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS.
2.7.51
Affected by 3 other vulnerabilities.
2.8.50
Affected by 4 other vulnerabilities.
3.4.26
Affected by 4 other vulnerabilities.
4.1.12
Affected by 5 other vulnerabilities.
4.2.7
Affected by 4 other vulnerabilities.
VCID-9bzz-84cq-ykh2
Aliases:
CVE-2024-50345
GHSA-mrqx-rp3w-jpjp
Symfony vulnerable to open redirect via browser-sanitized URLs ### Description The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. ### Resolution The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/ The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819) for branch 5.4. ### Credits We would like to thank Sam Mush - IPASSLab && ZGC Lab for reporting the issue and Nicolas Grekas for providing the fix.
5.4.46
Affected by 1 other vulnerability.
6.4.14
Affected by 1 other vulnerability.
7.1.7
Affected by 1 other vulnerability.
7.2.0-BETA1
Affected by 1 other vulnerability.
VCID-bhfu-7788-fbhc
Aliases:
CVE-2018-14773
GHSA-8wgj-6wx8-h5hq
URL Rewrite vulnerability An issue in Symfony arises from support for a (legacy) IIS header that lets users override the path in the request URL via the `X-Original-URL` or `X-Rewrite-URL` HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects `\Symfony\Component\HttpFoundation\Request::prepareRequestUri()` where `X-Original-URL` and `X_REWRITE_URL` are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning.
2.7.49
Affected by 5 other vulnerabilities.
2.8.44
Affected by 5 other vulnerabilities.
3.3.18
Affected by 6 other vulnerabilities.
3.4.14
Affected by 5 other vulnerabilities.
4.0.14
Affected by 5 other vulnerabilities.
4.1.3
Affected by 5 other vulnerabilities.
VCID-jdsd-3vnz-uygn
Aliases:
CVE-2019-18888
GHSA-xhh6-956q-4q69
Argument injection in a MimeTypeGuesser in Symfony An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x).
2.8.52
Affected by 3 other vulnerabilities.
3.4.35
Affected by 3 other vulnerabilities.
4.2.12
Affected by 3 other vulnerabilities.
4.3.8
Affected by 3 other vulnerabilities.
VCID-p1dw-w76f-gbfv
Aliases:
CVE-2025-64500
GHSA-3rg7-wf37-54rm
Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass The `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption.
5.4.50
Affected by 0 other vulnerabilities.
6.4.29
Affected by 0 other vulnerabilities.
7.3.7
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-12T01:13:26.075866+00:00 GitLab Importer Affected by VCID-p1dw-w76f-gbfv https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2025-64500.yml 38.3.0
2026-04-12T00:31:44.449192+00:00 GitLab Importer Affected by VCID-9bzz-84cq-ykh2 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2024-50345.yml 38.3.0
2026-04-11T22:10:08.961632+00:00 GitLab Importer Affected by VCID-jdsd-3vnz-uygn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2019-18888.yml 38.3.0
2026-04-11T22:05:18.471655+00:00 GitLab Importer Affected by VCID-3uu1-kftu-nbhd https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2019-10913.yml 38.3.0
2026-04-11T21:57:49.283369+00:00 GitLab Importer Affected by VCID-bhfu-7788-fbhc https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2018-14773.yml 38.3.0
2026-04-11T21:56:06.054172+00:00 GitLab Importer Affected by VCID-2hua-7wbd-tqbx https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2018-11386.yml 38.3.0
2026-04-03T01:22:23.260600+00:00 GitLab Importer Affected by VCID-p1dw-w76f-gbfv https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2025-64500.yml 38.1.0
2026-04-03T00:39:27.402037+00:00 GitLab Importer Affected by VCID-9bzz-84cq-ykh2 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2024-50345.yml 38.1.0
2026-04-02T22:22:44.650135+00:00 GitLab Importer Affected by VCID-jdsd-3vnz-uygn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2019-18888.yml 38.1.0
2026-04-02T22:18:11.048836+00:00 GitLab Importer Affected by VCID-3uu1-kftu-nbhd https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2019-10913.yml 38.1.0
2026-04-02T22:11:10.948487+00:00 GitLab Importer Affected by VCID-bhfu-7788-fbhc https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2018-14773.yml 38.1.0
2026-04-02T22:09:31.940563+00:00 GitLab Importer Affected by VCID-2hua-7wbd-tqbx https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2018-11386.yml 38.1.0
2026-04-01T16:40:31.604084+00:00 GitLab Importer Affected by VCID-jdsd-3vnz-uygn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2019-18888.yml 38.0.0
2026-04-01T16:35:51.155888+00:00 GitLab Importer Affected by VCID-3uu1-kftu-nbhd https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2019-10913.yml 38.0.0
2026-04-01T16:28:32.272617+00:00 GitLab Importer Affected by VCID-bhfu-7788-fbhc https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2018-14773.yml 38.0.0
2026-04-01T16:26:46.634675+00:00 GitLab Importer Affected by VCID-2hua-7wbd-tqbx https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2018-11386.yml 38.0.0