Search for packages
Package details: pkg:composer/symfony/http-kernel@2.0.0
purl pkg:composer/symfony/http-kernel@2.0.0
Tags Ghost
Next non-vulnerable version 3.4.48
Latest non-vulnerable version 6.2.6
Risk 4.0
Vulnerabilities affecting this package (2)
Vulnerability Summary Fixed by
VCID-64bd-n2s2-9qcj
Aliases:
CVE-2022-24894
GHSA-h7vf-5wrv-9fhv
Symfony storing cookie headers in HttpCache Description ----------- The Symfony HTTP cache system acts as a reverse proxy: it caches HTTP responses (including headers) and returns them to clients. In a recent `AbstractSessionListener` change, the response might now contain a `Set-Cookie` header. If the Symfony HTTP cache system is enabled, this header might be stored and returned to some other clients. An attacker can use this vulnerability to retrieve the victim's session. Resolution ---------- The `HttpStore` constructor now takes a parameter containing a list of private headers that are removed from the HTTP response headers. The default value for this parameter is `Set-Cookie`, but it can be overridden or extended by the application. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/d2f6322af9444ac5cd1ef3ac6f280dbef7f9d1fb) for branch 4.4. Credits ------- We would like to thank Soner Sayakci for reporting the issue and Nicolas Grekas for fixing it.
4.4.50
Affected by 0 other vulnerabilities.
5.4.20
Affected by 0 other vulnerabilities.
6.0.20
Affected by 0 other vulnerabilities.
6.1.12
Affected by 0 other vulnerabilities.
6.2.6
Affected by 0 other vulnerabilities.
VCID-dhzg-5h9j-vfdd
Aliases:
CVE-2014-5245
GHSA-wvjv-p5rr-mmqm
Symfony allows direct access of ESI URLs behind a trusted proxy All 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony HttpKernel component are affected by this security issue. Your application is vulnerable only if the ESI feature is enabled and there is a proxy in front of the web application. This issue has been fixed in Symfony 2.3.19, 2.4.9, and 2.5.4. Note that no fixes are provided for Symfony 2.2 as it is not maintained anymore. Description When you enable the ESI feature and when you are using a proxy like Varnish that you configured as a trusted proxy, the `FragmentHandler` considered requests to render fragments as coming from a trusted source, even if the client was requesting them directly. Symfony can not distinguish between ESI requests done on behalf of the client by Varnish and faked fragment requests coming directly from the client. To mitigate this issue, and for not-supported Symfony versions, you can use the following workaround in your Varnish configuration (`/_fragment` being the URL path prefix configured under the `fragment` setting of the framework bundle configuration): Copy sub vcl_recv { if (req.restarts == 0 && req.url ~ "^/_fragment") { error 400; } } Resolution We do not rely on trusted IPs anymore when validating a fragment request as all fragment URLs are now signed. The patch for this issue is available here: https://github.com/symfony/symfony/pull/11831
2.3.19
Affected by 3 other vulnerabilities.
2.4.9
Affected by 3 other vulnerabilities.
2.5.0-BETA1
Affected by 3 other vulnerabilities.
2.5.4
Affected by 3 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2025-07-03T16:52:44.527787+00:00 GHSA Importer Affected by VCID-64bd-n2s2-9qcj https://github.com/advisories/GHSA-h7vf-5wrv-9fhv 37.0.0
2025-07-01T18:10:02.200761+00:00 GitLab Importer Affected by VCID-dhzg-5h9j-vfdd https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-kernel/CVE-2014-5245.yml 36.1.3
2025-07-01T14:35:01.009172+00:00 GHSA Importer Affected by VCID-dhzg-5h9j-vfdd https://github.com/advisories/GHSA-wvjv-p5rr-mmqm 36.1.3