Search for packages
| purl | pkg:composer/symfony/http-foundation@4.4.14 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-48cj-cbs6-83d7
Aliases: CVE-2021-21424 GHSA-5pv8-ppvj-4h68 |
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. The patch for this issue is available for branch 3.4. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-6aj5-vhfg-qkgk
Aliases: CVE-2024-50345 GHSA-mrqx-rp3w-jpjp |
symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/. This issue has been patched in versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-zws9-ffpd-5ffw
Aliases: CVE-2025-64500 GHSA-3rg7-wf37-54rm |
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the `Request` class now ensures that URL paths always start with a `/`. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-12T20:29:04.959028+00:00 | GitLab Importer | Affected by | VCID-zws9-ffpd-5ffw | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2025-64500.yml | 38.6.0 |
| 2026-06-12T19:45:37.250764+00:00 | GitLab Importer | Affected by | VCID-6aj5-vhfg-qkgk | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2024-50345.yml | 38.6.0 |
| 2026-06-12T17:39:37.516241+00:00 | GitLab Importer | Affected by | VCID-48cj-cbs6-83d7 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2021-21424.yml | 38.6.0 |