VulnerableCode Package Details - pkg:composer/symfony/symfony@5.4.43

Search for packages

Vulnerability	Summary	Fixed by
VCID-267p-fu2q-hyd1 Aliases: CVE-2024-50342 GHSA-9c3x-r3wp-mgxm	Symfony allows internal address and port enumeration by NoPrivateNetworkHttpClient ### Description When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. ### Resolution The `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks. The fisrt patch for this issue is available [here](https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b) for branch 5.4. The second one is available [here](https://github.com/symfony/symfony/commit/b4bf5afdbdcb2fd03da513ee03beeabeb551e5fa) for branch 5.4 also. ### Credits We would like to thank Linus Karlsson and Chris Smith for reporting the issue and Nicolas Grekas for providing the fix.	5.4.47 Affected by 0 other vulnerabilities. 6.0.0-BETA1 Affected by 0 other vulnerabilities. 6.4.15 Affected by 0 other vulnerabilities. 7.0.0-BETA1 Affected by 0 other vulnerabilities. 7.1.8 Affected by 0 other vulnerabilities. 7.2.0-BETA1 Affected by 0 other vulnerabilities.
VCID-5ydt-hq1s-n7fx Aliases: CVE-2024-50340 GHSA-x8vp-gf4q-mw5j	Symfony allows changing the environment through a query ### Description When the `register_argc_argv` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. ### Resolution The `SymfonyRuntime` now ignores the `argv` values for non-cli SAPIs PHP runtimes The patch for this issue is available [here](https://github.com/symfony/symfony/commit/a77b308c3f179ed7c8a8bc295f82b2d6ee3493fa) for branch 5.4. ### Credits We would like to thank Vladimir Dusheyko for reporting the issue and Wouter de Jong for providing the fix.	5.4.46 Affected by 0 other vulnerabilities. 6.0.0-BETA1 Affected by 0 other vulnerabilities. 6.4.14 Affected by 0 other vulnerabilities. 7.0.0-BETA1 Affected by 0 other vulnerabilities. 7.1.7 Affected by 0 other vulnerabilities. 7.2.0-BETA1 Affected by 0 other vulnerabilities.
VCID-atjd-s983-zkaz Aliases: CVE-2024-51736 GHSA-qq5c-677p-737q	Symfony vulnerable to command execution hijack on Windows with Process class ### Description On Windows, when an executable file named `cmd.exe` is located in the current working directory it will be called by the `Process` class when preparing command arguments, leading to possible hijacking. ### Resolution The `Process` class now uses the absolute path to `cmd.exe`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/18ecd03eda3917fdf901a48e72518f911c64a1c9) for branch 5.4. ### Credits We would like to thank Jordi Boggiano for reporting the issue and Nicolas Grekas for providing the fix.	5.4.46 Affected by 0 other vulnerabilities. 6.0.0-BETA1 Affected by 0 other vulnerabilities. 6.4.14 Affected by 0 other vulnerabilities. 7.0.0-BETA1 Affected by 0 other vulnerabilities. 7.1.7 Affected by 0 other vulnerabilities. 7.2.0-BETA1 Affected by 0 other vulnerabilities.
VCID-bf8y-eqha-q3cy Aliases: CVE-2024-50345 GHSA-mrqx-rp3w-jpjp	Symfony vulnerable to open redirect via browser-sanitized URLs ### Description The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. ### Resolution The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/ The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819) for branch 5.4. ### Credits We would like to thank Sam Mush - IPASSLab && ZGC Lab for reporting the issue and Nicolas Grekas for providing the fix.	5.4.46 Affected by 0 other vulnerabilities. 6.0.0-BETA1 Affected by 0 other vulnerabilities. 6.4.14 Affected by 0 other vulnerabilities. 7.0.0-BETA1 Affected by 0 other vulnerabilities. 7.1.7 Affected by 0 other vulnerabilities. 7.2.0-BETA1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-267p-fu2q-hyd1
Aliases:
CVE-2024-50342
GHSA-9c3x-r3wp-mgxm

Symfony allows internal address and port enumeration by NoPrivateNetworkHttpClient ### Description When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. ### Resolution The `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks. The fisrt patch for this issue is available [here](https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b) for branch 5.4. The second one is available [here](https://github.com/symfony/symfony/commit/b4bf5afdbdcb2fd03da513ee03beeabeb551e5fa) for branch 5.4 also. ### Credits We would like to thank Linus Karlsson and Chris Smith for reporting the issue and Nicolas Grekas for providing the fix.

5.4.47
Affected by 0 other vulnerabilities.

6.0.0-BETA1
Affected by 0 other vulnerabilities.

6.4.15
Affected by 0 other vulnerabilities.

7.0.0-BETA1
Affected by 0 other vulnerabilities.

7.1.8
Affected by 0 other vulnerabilities.

7.2.0-BETA1
Affected by 0 other vulnerabilities.

VCID-5ydt-hq1s-n7fx
Aliases:
CVE-2024-50340
GHSA-x8vp-gf4q-mw5j

Symfony allows changing the environment through a query ### Description When the `register_argc_argv` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. ### Resolution The `SymfonyRuntime` now ignores the `argv` values for non-cli SAPIs PHP runtimes The patch for this issue is available [here](https://github.com/symfony/symfony/commit/a77b308c3f179ed7c8a8bc295f82b2d6ee3493fa) for branch 5.4. ### Credits We would like to thank Vladimir Dusheyko for reporting the issue and Wouter de Jong for providing the fix.

5.4.46
Affected by 0 other vulnerabilities.

6.0.0-BETA1
Affected by 0 other vulnerabilities.

6.4.14
Affected by 0 other vulnerabilities.

7.0.0-BETA1
Affected by 0 other vulnerabilities.

7.1.7
Affected by 0 other vulnerabilities.

7.2.0-BETA1
Affected by 0 other vulnerabilities.

VCID-atjd-s983-zkaz
Aliases:
CVE-2024-51736
GHSA-qq5c-677p-737q

Symfony vulnerable to command execution hijack on Windows with Process class ### Description On Windows, when an executable file named `cmd.exe` is located in the current working directory it will be called by the `Process` class when preparing command arguments, leading to possible hijacking. ### Resolution The `Process` class now uses the absolute path to `cmd.exe`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/18ecd03eda3917fdf901a48e72518f911c64a1c9) for branch 5.4. ### Credits We would like to thank Jordi Boggiano for reporting the issue and Nicolas Grekas for providing the fix.

5.4.46
Affected by 0 other vulnerabilities.

6.0.0-BETA1
Affected by 0 other vulnerabilities.

6.4.14
Affected by 0 other vulnerabilities.

7.0.0-BETA1
Affected by 0 other vulnerabilities.

7.1.7
Affected by 0 other vulnerabilities.

7.2.0-BETA1
Affected by 0 other vulnerabilities.

VCID-bf8y-eqha-q3cy
Aliases:
CVE-2024-50345
GHSA-mrqx-rp3w-jpjp

Symfony vulnerable to open redirect via browser-sanitized URLs ### Description The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. ### Resolution The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/ The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819) for branch 5.4. ### Credits We would like to thank Sam Mush - IPASSLab && ZGC Lab for reporting the issue and Nicolas Grekas for providing the fix.

5.4.46
Affected by 0 other vulnerabilities.

6.0.0-BETA1
Affected by 0 other vulnerabilities.

6.4.14
Affected by 0 other vulnerabilities.

7.0.0-BETA1
Affected by 0 other vulnerabilities.

7.1.7
Affected by 0 other vulnerabilities.

7.2.0-BETA1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-fhmx-pjm9-zqdd	Symfony has an incorrect response from Validator when input ends with `\n` ### Description It is possible to trick a `Validator` configured with a regular expression using the `$` metacharacters, with an input ending with `\n`. ### Resolution Symfony now uses the `D` regex modifier to match the entire input. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/7d1032bbead9a4229b32fa6ebca32681c80cb76f) for branch 5.4. ### Credits We would like to thank Offscript for reporting the issue and Alexandre Daubois for providing the fix.	CVE-2024-50343 GHSA-g3rh-rrhp-jhh9

Vulnerability

Summary

Aliases

VCID-fhmx-pjm9-zqdd

Symfony has an incorrect response from Validator when input ends with `\n` ### Description It is possible to trick a `Validator` configured with a regular expression using the `$` metacharacters, with an input ending with `\n`. ### Resolution Symfony now uses the `D` regex modifier to match the entire input. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/7d1032bbead9a4229b32fa6ebca32681c80cb76f) for branch 5.4. ### Credits We would like to thank Offscript for reporting the issue and Alexandre Daubois for providing the fix.

CVE-2024-50343
GHSA-g3rh-rrhp-jhh9

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-03T19:15:01.623713+00:00	GitLab Importer	Fixing	VCID-fhmx-pjm9-zqdd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/symfony/CVE-2024-50343.yml	37.0.0
2025-07-03T19:14:59.596243+00:00	GitLab Importer	Affected by	VCID-267p-fu2q-hyd1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/symfony/CVE-2024-50342.yml	37.0.0
2025-07-03T19:14:55.756196+00:00	GitLab Importer	Affected by	VCID-bf8y-eqha-q3cy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/symfony/CVE-2024-50345.yml	37.0.0
2025-07-03T19:14:48.062831+00:00	GitLab Importer	Affected by	VCID-5ydt-hq1s-n7fx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/symfony/CVE-2024-50340.yml	37.0.0
2025-07-03T19:14:44.947345+00:00	GitLab Importer	Affected by	VCID-atjd-s983-zkaz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/symfony/CVE-2024-51736.yml	37.0.0
2025-07-03T13:57:23.807479+00:00	GitLab Importer	Fixing	VCID-fhmx-pjm9-zqdd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/symfony/CVE-2024-50343.yml	36.1.3
2025-07-01T14:35:47.052751+00:00	GHSA Importer	Fixing	VCID-fhmx-pjm9-zqdd	https://github.com/advisories/GHSA-g3rh-rrhp-jhh9	36.1.3
2025-07-01T12:10:37.484620+00:00	GithubOSV Importer	Fixing	VCID-fhmx-pjm9-zqdd	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-g3rh-rrhp-jhh9/GHSA-g3rh-rrhp-jhh9.json	36.1.3