Search for packages
| purl | pkg:composer/symfony/http-foundation@7.0.0 |
| Next non-vulnerable version | 7.1.7 |
| Latest non-vulnerable version | 7.2.0-BETA1 |
| Risk | 1.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-bf8y-eqha-q3cy
Aliases: CVE-2024-50345 GHSA-mrqx-rp3w-jpjp |
Symfony vulnerable to open redirect via browser-sanitized URLs ### Description The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. ### Resolution The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/ The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819) for branch 5.4. ### Credits We would like to thank Sam Mush - IPASSLab && ZGC Lab for reporting the issue and Nicolas Grekas for providing the fix. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2025-07-03T19:14:47.626103+00:00 | GitLab Importer | Affected by | VCID-bf8y-eqha-q3cy | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2024-50345.yml | 37.0.0 |
| 2025-07-03T13:57:23.260702+00:00 | GitLab Importer | Affected by | VCID-bf8y-eqha-q3cy | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-foundation/CVE-2024-50345.yml | 36.1.3 |
| 2025-07-01T14:35:47.116247+00:00 | GHSA Importer | Affected by | VCID-bf8y-eqha-q3cy | https://github.com/advisories/GHSA-mrqx-rp3w-jpjp | 36.1.3 |