VulnerableCode Package Details - pkg:deb/debian/symfony@4.4.13%2Bdfsg-1?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-txk7-krb1-bqd9	RCE in Symfony Description ----------- The `CachingHttpClient` class from the HttpClient Symfony component relies on the `HttpCache` class to handle requests. `HttpCache` uses internal headers like `X-Body-Eval` and `X-Body-File` to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by `CachingHttpClient` and if an attacker can control the response for a request being made by the `CachingHttpClient`, remote code execution is possible. Resolution ---------- HTTP headers designed for internal use in `HttpCache` are now stripped from remote responses before being passed to `HttpCache`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78) for the 4.4 branch. Credits ------- I would like to thank Matthias Pigulla (webfactory GmbH) for reporting and fixing the issue.	CVE-2020-15094 GHSA-754h-5r27-7x3r

Vulnerability

Summary

Aliases

VCID-txk7-krb1-bqd9

RCE in Symfony Description ----------- The `CachingHttpClient` class from the HttpClient Symfony component relies on the `HttpCache` class to handle requests. `HttpCache` uses internal headers like `X-Body-Eval` and `X-Body-File` to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by `CachingHttpClient` and if an attacker can control the response for a request being made by the `CachingHttpClient`, remote code execution is possible. Resolution ---------- HTTP headers designed for internal use in `HttpCache` are now stripped from remote responses before being passed to `HttpCache`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78) for the 4.4 branch. Credits ------- I would like to thank Matthias Pigulla (webfactory GmbH) for reporting and fixing the issue.

CVE-2020-15094
GHSA-754h-5r27-7x3r

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T10:17:11.573814+00:00	Debian Importer	Fixing	VCID-txk7-krb1-bqd9	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T06:55:15.602011+00:00	Debian Importer	Fixing	VCID-txk7-krb1-bqd9	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:53:42.532194+00:00	Debian Importer	Fixing	VCID-txk7-krb1-bqd9	https://security-tracker.debian.org/tracker/data/json	38.1.0