VulnerableCode Package Details - pkg:composer/symfony/http-kernel@5.2.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-7gzy-b9hc-zuh2 Aliases: CVE-2021-21424 GHSA-5pv8-ppvj-4h68	Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. The patch for this issue is available for branch 3.4.	5.2.8 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-q9nm-2b34-yked Aliases: CVE-2021-41267 GHSA-q3j3-w37x-hq2q	Webcache Poisoning in symfony/http-kernel Description ----------- When a Symfony application is running behind a proxy or a load-balancer, you can tell Symfony to look for the `X-Forwarded-*` HTTP headers. HTTP headers that are not part of the "trusted_headers" allowed list are ignored and protect you from "Cache poisoning" attacks. In Symfony 5.2, we've added support for the `X-Forwarded-Prefix` header, but this header was accessible in sub-requests, even if it was not part of the "trusted_headers" allowed list. An attacker could leverage this opportunity to forge requests containing a `X-Forwarded-Prefix` HTTP header, leading to a web cache poisoning issue. Resolution ---------- Symfony now ensures that the `X-Forwarded-Prefix` HTTP header is not forwarded to sub-requests when it is not trusted. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/95dcf51682029e89450aee86267e3d553aa7c487) for branch 5.3. Credits ------- We would like to thank Soner Sayakci for reporting the issue and Jérémy Derussé for fixing the issue.	5.3.12 Affected by 0 other vulnerabilities. 5.4.0-BETA1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-7gzy-b9hc-zuh2
Aliases:
CVE-2021-21424
GHSA-5pv8-ppvj-4h68

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. The patch for this issue is available for branch 3.4.

5.2.8
Affected by 1 other vulnerability.

VCID-q9nm-2b34-yked
Aliases:
CVE-2021-41267
GHSA-q3j3-w37x-hq2q

Webcache Poisoning in symfony/http-kernel Description ----------- When a Symfony application is running behind a proxy or a load-balancer, you can tell Symfony to look for the `X-Forwarded-*` HTTP headers. HTTP headers that are not part of the "trusted_headers" allowed list are ignored and protect you from "Cache poisoning" attacks. In Symfony 5.2, we've added support for the `X-Forwarded-Prefix` header, but this header was accessible in sub-requests, even if it was not part of the "trusted_headers" allowed list. An attacker could leverage this opportunity to forge requests containing a `X-Forwarded-Prefix` HTTP header, leading to a web cache poisoning issue. Resolution ---------- Symfony now ensures that the `X-Forwarded-Prefix` HTTP header is not forwarded to sub-requests when it is not trusted. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/95dcf51682029e89450aee86267e3d553aa7c487) for branch 5.3. Credits ------- We would like to thank Soner Sayakci for reporting the issue and Jérémy Derussé for fixing the issue.

5.3.12
Affected by 0 other vulnerabilities.

5.4.0-BETA1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-03T18:07:21.673835+00:00	GitLab Importer	Affected by	VCID-q9nm-2b34-yked	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-kernel/CVE-2021-41267.yml	37.0.0
2025-07-03T17:59:28.089576+00:00	GitLab Importer	Affected by	VCID-7gzy-b9hc-zuh2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-kernel/CVE-2021-21424.yml	37.0.0

2025-07-03T18:07:21.673835+00:00

GitLab Importer

Affected by

VCID-q9nm-2b34-yked

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-kernel/CVE-2021-41267.yml

37.0.0

2025-07-03T17:59:28.089576+00:00

GitLab Importer

Affected by

VCID-7gzy-b9hc-zuh2

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-kernel/CVE-2021-21424.yml

37.0.0

Next non-vulnerable version	5.3.12
Latest non-vulnerable version	6.2.6
Risk	3.1