VulnerableCode Package Details - pkg:composer/symfony/symfony@7.1.7

Search for packages

Vulnerability	Summary	Fixed by
VCID-p1dw-w76f-gbfv Aliases: CVE-2025-64500 GHSA-3rg7-wf37-54rm	Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass The `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption.	7.3.7 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 7.4.0-BETA1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-p1dw-w76f-gbfv
Aliases:
CVE-2025-64500
GHSA-3rg7-wf37-54rm

Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass The `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption.

7.3.7
Affected by 1 other vulnerability.

7.4.0-BETA1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-4num-z8cg-83gt	Symfony vulnerable to command execution hijack on Windows with Process class ### Description On Windows, when an executable file named `cmd.exe` is located in the current working directory it will be called by the `Process` class when preparing command arguments, leading to possible hijacking. ### Resolution The `Process` class now uses the absolute path to `cmd.exe`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/18ecd03eda3917fdf901a48e72518f911c64a1c9) for branch 5.4. ### Credits We would like to thank Jordi Boggiano for reporting the issue and Nicolas Grekas for providing the fix.	CVE-2024-51736 GHSA-qq5c-677p-737q
VCID-9bzz-84cq-ykh2	Symfony vulnerable to open redirect via browser-sanitized URLs ### Description The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. ### Resolution The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/ The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819) for branch 5.4. ### Credits We would like to thank Sam Mush - IPASSLab && ZGC Lab for reporting the issue and Nicolas Grekas for providing the fix.	CVE-2024-50345 GHSA-mrqx-rp3w-jpjp
VCID-en6a-wp7q-fbfs	Symfony allows changing the environment through a query ### Description When the `register_argc_argv` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. ### Resolution The `SymfonyRuntime` now ignores the `argv` values for non-cli SAPIs PHP runtimes The patch for this issue is available [here](https://github.com/symfony/symfony/commit/a77b308c3f179ed7c8a8bc295f82b2d6ee3493fa) for branch 5.4. ### Credits We would like to thank Vladimir Dusheyko for reporting the issue and Wouter de Jong for providing the fix.	CVE-2024-50340 GHSA-x8vp-gf4q-mw5j

Vulnerability

Summary

Aliases

VCID-4num-z8cg-83gt

Symfony vulnerable to command execution hijack on Windows with Process class ### Description On Windows, when an executable file named `cmd.exe` is located in the current working directory it will be called by the `Process` class when preparing command arguments, leading to possible hijacking. ### Resolution The `Process` class now uses the absolute path to `cmd.exe`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/18ecd03eda3917fdf901a48e72518f911c64a1c9) for branch 5.4. ### Credits We would like to thank Jordi Boggiano for reporting the issue and Nicolas Grekas for providing the fix.

CVE-2024-51736
GHSA-qq5c-677p-737q

VCID-9bzz-84cq-ykh2

Symfony vulnerable to open redirect via browser-sanitized URLs ### Description The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. ### Resolution The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/ The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819) for branch 5.4. ### Credits We would like to thank Sam Mush - IPASSLab && ZGC Lab for reporting the issue and Nicolas Grekas for providing the fix.

CVE-2024-50345
GHSA-mrqx-rp3w-jpjp

VCID-en6a-wp7q-fbfs

Symfony allows changing the environment through a query ### Description When the `register_argc_argv` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. ### Resolution The `SymfonyRuntime` now ignores the `argv` values for non-cli SAPIs PHP runtimes The patch for this issue is available [here](https://github.com/symfony/symfony/commit/a77b308c3f179ed7c8a8bc295f82b2d6ee3493fa) for branch 5.4. ### Credits We would like to thank Vladimir Dusheyko for reporting the issue and Wouter de Jong for providing the fix.

CVE-2024-50340
GHSA-x8vp-gf4q-mw5j

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T23:51:49.502125+00:00	GitLab Importer	Affected by	VCID-p1dw-w76f-gbfv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/symfony/CVE-2025-64500.yml	38.4.0
2026-04-12T01:13:25.190817+00:00	GitLab Importer	Affected by	VCID-p1dw-w76f-gbfv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/symfony/CVE-2025-64500.yml	38.3.0
2026-04-07T04:56:21.223037+00:00	GHSA Importer	Fixing	VCID-4num-z8cg-83gt	https://github.com/advisories/GHSA-qq5c-677p-737q	38.1.0
2026-04-07T04:56:20.420486+00:00	GHSA Importer	Fixing	VCID-en6a-wp7q-fbfs	https://github.com/advisories/GHSA-x8vp-gf4q-mw5j	38.1.0
2026-04-03T01:22:22.356899+00:00	GitLab Importer	Affected by	VCID-p1dw-w76f-gbfv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/symfony/CVE-2025-64500.yml	38.1.0
2026-04-02T12:40:20.766901+00:00	GitLab Importer	Fixing	VCID-9bzz-84cq-ykh2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/symfony/CVE-2024-50345.yml	38.0.0
2026-04-02T12:40:20.145411+00:00	GitLab Importer	Fixing	VCID-en6a-wp7q-fbfs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/symfony/CVE-2024-50340.yml	38.0.0
2026-04-02T12:40:20.039350+00:00	GitLab Importer	Fixing	VCID-4num-z8cg-83gt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/symfony/CVE-2024-51736.yml	38.0.0
2026-04-01T12:51:13.590315+00:00	GithubOSV Importer	Fixing	VCID-4num-z8cg-83gt	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-qq5c-677p-737q/GHSA-qq5c-677p-737q.json	38.0.0
2026-04-01T12:51:05.107811+00:00	GithubOSV Importer	Fixing	VCID-en6a-wp7q-fbfs	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-x8vp-gf4q-mw5j/GHSA-x8vp-gf4q-mw5j.json	38.0.0