VulnerableCode Package Details - pkg:composer/symfony/http-foundation@4.3.8

Search for packages

Vulnerability	Summary	Fixed by
VCID-9bzz-84cq-ykh2 Aliases: CVE-2024-50345 GHSA-mrqx-rp3w-jpjp	Symfony vulnerable to open redirect via browser-sanitized URLs ### Description The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. ### Resolution The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/ The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819) for branch 5.4. ### Credits We would like to thank Sam Mush - IPASSLab && ZGC Lab for reporting the issue and Nicolas Grekas for providing the fix.	5.4.46 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 6.4.14 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 7.1.7 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 7.2.0-BETA1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-e71e-d4tr-wqgz Aliases: CVE-2021-21424 GHSA-5pv8-ppvj-4h68	Prevent user enumeration using Guard or the new Authenticator-based Security Description ----------- The ability to enumerate users was possible without relevant permissions due to different exception messages depending on whether the user existed or not. It was also possible to enumerate users by using a timing attack, by comparing time elapsed when authenticating an existing user and authenticating a non-existing user. Resolution ---------- We now ensure that 403s are returned whether the user exists or not if the password is invalid or if the user does not exist. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/2a581d22cc621b33d5464ed65c4bc2057f72f011) for branch 3.4. Credits ------- I would like to thank James Isaac and Mathias Brodala for reporting the issue and Robin Chalas for fixing the issue.	4.4.23 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.2.8 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-p1dw-w76f-gbfv Aliases: CVE-2025-64500 GHSA-3rg7-wf37-54rm	Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass The `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption.	5.4.50 Affected by 0 other vulnerabilities. 6.4.29 Affected by 0 other vulnerabilities. 7.3.7 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-9bzz-84cq-ykh2
Aliases:
CVE-2024-50345
GHSA-mrqx-rp3w-jpjp

Symfony vulnerable to open redirect via browser-sanitized URLs ### Description The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. ### Resolution The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/ The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819) for branch 5.4. ### Credits We would like to thank Sam Mush - IPASSLab && ZGC Lab for reporting the issue and Nicolas Grekas for providing the fix.

5.4.46
Affected by 1 other vulnerability.

6.4.14
Affected by 1 other vulnerability.

7.1.7
Affected by 1 other vulnerability.

7.2.0-BETA1
Affected by 1 other vulnerability.

VCID-e71e-d4tr-wqgz
Aliases:
CVE-2021-21424
GHSA-5pv8-ppvj-4h68

Prevent user enumeration using Guard or the new Authenticator-based Security Description ----------- The ability to enumerate users was possible without relevant permissions due to different exception messages depending on whether the user existed or not. It was also possible to enumerate users by using a timing attack, by comparing time elapsed when authenticating an existing user and authenticating a non-existing user. Resolution ---------- We now ensure that 403s are returned whether the user exists or not if the password is invalid or if the user does not exist. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/2a581d22cc621b33d5464ed65c4bc2057f72f011) for branch 3.4. Credits ------- I would like to thank James Isaac and Mathias Brodala for reporting the issue and Robin Chalas for fixing the issue.

4.4.23
Affected by 2 other vulnerabilities.

5.2.8
Affected by 2 other vulnerabilities.

VCID-p1dw-w76f-gbfv
Aliases:
CVE-2025-64500
GHSA-3rg7-wf37-54rm

Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass The `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption.

5.4.50
Affected by 0 other vulnerabilities.

6.4.29
Affected by 0 other vulnerabilities.

7.3.7
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-jdsd-3vnz-uygn	Argument injection in a MimeTypeGuesser in Symfony An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x).	CVE-2019-18888 GHSA-xhh6-956q-4q69

Vulnerability

Summary

Aliases

VCID-jdsd-3vnz-uygn

Argument injection in a MimeTypeGuesser in Symfony An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x).

CVE-2019-18888
GHSA-xhh6-956q-4q69

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T21:22:58.678202+00:00	GitLab Importer	Affected by	VCID-e71e-d4tr-wqgz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2021-21424.yml	38.4.0
2026-04-16T20:58:58.381803+00:00	GitLab Importer	Fixing	VCID-jdsd-3vnz-uygn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2019-18888.yml	38.4.0
2026-04-12T01:13:27.084974+00:00	GitLab Importer	Affected by	VCID-p1dw-w76f-gbfv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2025-64500.yml	38.3.0
2026-04-12T00:31:45.481970+00:00	GitLab Importer	Affected by	VCID-9bzz-84cq-ykh2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2024-50345.yml	38.3.0
2026-04-11T22:35:37.808845+00:00	GitLab Importer	Affected by	VCID-e71e-d4tr-wqgz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2021-21424.yml	38.3.0
2026-04-11T22:10:09.941116+00:00	GitLab Importer	Fixing	VCID-jdsd-3vnz-uygn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2019-18888.yml	38.3.0
2026-04-03T01:22:24.285507+00:00	GitLab Importer	Affected by	VCID-p1dw-w76f-gbfv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2025-64500.yml	38.1.0
2026-04-03T00:39:28.414572+00:00	GitLab Importer	Affected by	VCID-9bzz-84cq-ykh2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2024-50345.yml	38.1.0
2026-04-02T22:46:40.918847+00:00	GitLab Importer	Affected by	VCID-e71e-d4tr-wqgz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2021-21424.yml	38.1.0
2026-04-02T22:22:45.496458+00:00	GitLab Importer	Fixing	VCID-jdsd-3vnz-uygn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2019-18888.yml	38.1.0
2026-04-01T17:04:37.471716+00:00	GitLab Importer	Affected by	VCID-e71e-d4tr-wqgz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2021-21424.yml	38.0.0
2026-04-01T16:40:32.571000+00:00	GitLab Importer	Fixing	VCID-jdsd-3vnz-uygn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2019-18888.yml	38.0.0
2026-04-01T15:57:47.946402+00:00	GHSA Importer	Fixing	VCID-jdsd-3vnz-uygn	https://github.com/advisories/GHSA-xhh6-956q-4q69	38.0.0
2026-04-01T13:04:21.207774+00:00	GithubOSV Importer	Fixing	VCID-jdsd-3vnz-uygn	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-xhh6-956q-4q69/GHSA-xhh6-956q-4q69.json	38.0.0