VulnerableCode Package Details - pkg:composer/symfony/http-foundation@5.0.0-BETA1

Search for packages

Vulnerability	Summary	Fixed by
VCID-bf8y-eqha-q3cy Aliases: CVE-2024-50345 GHSA-mrqx-rp3w-jpjp	Symfony vulnerable to open redirect via browser-sanitized URLs ### Description The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. ### Resolution The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/ The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819) for branch 5.4. ### Credits We would like to thank Sam Mush - IPASSLab && ZGC Lab for reporting the issue and Nicolas Grekas for providing the fix.	5.4.46 Affected by 0 other vulnerabilities. 6.4.14 Affected by 0 other vulnerabilities. 7.1.7 Affected by 0 other vulnerabilities. 7.2.0-BETA1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-bf8y-eqha-q3cy
Aliases:
CVE-2024-50345
GHSA-mrqx-rp3w-jpjp

Symfony vulnerable to open redirect via browser-sanitized URLs ### Description The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. ### Resolution The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/ The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819) for branch 5.4. ### Credits We would like to thank Sam Mush - IPASSLab && ZGC Lab for reporting the issue and Nicolas Grekas for providing the fix.

5.4.46
Affected by 0 other vulnerabilities.

6.4.14
Affected by 0 other vulnerabilities.

7.1.7
Affected by 0 other vulnerabilities.

7.2.0-BETA1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-x68x-js47-h7a9	Prevent cache poisoning via a Response Content-Type header in Symfony Description ----------- When a `Response` does not contain a `Content-Type` header, Symfony falls back to the format defined in the `Accept` header of the request, leading to a possible mismatch between the response's content and `Content-Type` header. When the response is cached, this can lead to a corrupted cache where the cached format is not the right one. Resolution ---------- Symfony does not use the `Accept` header anymore to guess the `Content-Type`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/dca343442e6a954f96a2609e7b4e9c21ed6d74e6) for the 4.4 branch. Credits ------- I would like to thank Xavier Lacot from JoliCode for reporting & Yonel Ceruto and Tobias Schultze for fixing the issue.	CVE-2020-5255 GHSA-mcx4-f5f5-4859

Vulnerability

Summary

Aliases

VCID-x68x-js47-h7a9

Prevent cache poisoning via a Response Content-Type header in Symfony Description ----------- When a `Response` does not contain a `Content-Type` header, Symfony falls back to the format defined in the `Accept` header of the request, leading to a possible mismatch between the response's content and `Content-Type` header. When the response is cached, this can lead to a corrupted cache where the cached format is not the right one. Resolution ---------- Symfony does not use the `Accept` header anymore to guess the `Content-Type`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/dca343442e6a954f96a2609e7b4e9c21ed6d74e6) for the 4.4 branch. Credits ------- I would like to thank Xavier Lacot from JoliCode for reporting & Yonel Ceruto and Tobias Schultze for fixing the issue.

CVE-2020-5255
GHSA-mcx4-f5f5-4859

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-03T19:14:47.109543+00:00	GitLab Importer	Affected by	VCID-bf8y-eqha-q3cy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2024-50345.yml	37.0.0
2025-07-03T17:40:01.564327+00:00	GitLab Importer	Fixing	VCID-x68x-js47-h7a9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2020-5255.yml	37.0.0

2025-07-03T19:14:47.109543+00:00

GitLab Importer

Affected by

VCID-bf8y-eqha-q3cy

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2024-50345.yml

37.0.0

2025-07-03T17:40:01.564327+00:00

GitLab Importer

Fixing

VCID-x68x-js47-h7a9

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2020-5255.yml

37.0.0

Next non-vulnerable version	5.4.46
Latest non-vulnerable version	7.2.0-BETA1
Risk