Search for packages
Package details: pkg:composer/symfony/security-http@5.2.0
purl pkg:composer/symfony/security-http@5.2.0
Next non-vulnerable version 7.1.8
Latest non-vulnerable version 7.2.0-BETA1
Risk 3.4
Vulnerabilities affecting this package (5)
Vulnerability Summary Fixed by
VCID-7gzy-b9hc-zuh2
Aliases:
CVE-2021-21424
GHSA-5pv8-ppvj-4h68
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. The patch for this issue is available for branch 3.4.
5.2.8
Affected by 3 other vulnerabilities.
VCID-hm1q-8mjy-47ek
Aliases:
CVE-2024-36611
GHSA-7q22-x757-cmgc
Withdrawn Advisory: Symfony http-security has authentication bypass ## Withdrawn Advisory This advisory has been withdrawn because the report is not part of a valid vulnerability. This link is maintained to preserve external references. For more information, see advisory-database/pull/5046. ## Original Description In Symfony, a security vulnerability was identified in the FormLoginAuthenticator component, where it failed to adequately handle cases where the username or password field of a login request is empty. This flaw could lead to various security risks, including improper authentication logic handling or denial of service.
7.1.0
Affected by 1 other vulnerability.
VCID-j2sp-exnt-uubz
Aliases:
GHSA-g2qj-pmxm-9f8f
GMS-2021-130
GMS-2021-131
User enumeration in authentication mechanisms Description ----------- The ability to enumerate users was possible without relevant permissions due to different exception messages depending on whether the user existed or not. It was also possible to enumerate users by using a timing attack, by comparing time elapsed when authenticating an existing user and authenticating a non-existing user. Resolution ---------- We now ensure that 403s are returned whether the user exists or not if the password is invalid or if the user does not exist. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/2a581d22cc621b33d5464ed65c4bc2057f72f011) for branch 3.4. Credits ------- I would like to thank James Isaac and Mathias Brodala for reporting the issue and Robin Chalas for fixing the issue.
5.2.8
Affected by 3 other vulnerabilities.
VCID-q9nm-2b34-yked
Aliases:
CVE-2021-41267
GHSA-q3j3-w37x-hq2q
Webcache Poisoning in symfony/http-kernel Description ----------- When a Symfony application is running behind a proxy or a load-balancer, you can tell Symfony to look for the `X-Forwarded-*` HTTP headers. HTTP headers that are not part of the "trusted_headers" allowed list are ignored and protect you from "Cache poisoning" attacks. In Symfony 5.2, we've added support for the `X-Forwarded-Prefix` header, but this header was accessible in sub-requests, even if it was not part of the "trusted_headers" allowed list. An attacker could leverage this opportunity to forge requests containing a `X-Forwarded-Prefix` HTTP header, leading to a web cache poisoning issue. Resolution ---------- Symfony now ensures that the `X-Forwarded-Prefix` HTTP header is not forwarded to sub-requests when it is not trusted. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/95dcf51682029e89450aee86267e3d553aa7c487) for branch 5.3. Credits ------- We would like to thank Soner Sayakci for reporting the issue and Jérémy Derussé for fixing the issue.
5.4.0-BETA1
Affected by 3 other vulnerabilities.
5.4.0
Affected by 3 other vulnerabilities.
VCID-xv9e-a7qq-63a1
Aliases:
CVE-2023-46734
GHSA-q847-2q57-wmr3
Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters ### Description Some Twig filters in CodeExtension use "is_safe=html" but don't actually ensure their input is safe. ### Resolution Symfony now escapes the output of the affected filters. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/9da9a145ce57e4585031ad4bee37c497353eec7c) for branch 4.4. ### Credits We would like to thank Pierre Rudloff for reporting the issue and to Nicolas Grekas for providing the fix.
5.4.31
Affected by 2 other vulnerabilities.
6.3.8
Affected by 2 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2025-07-03T19:16:32.065143+00:00 GitLab Importer Affected by VCID-hm1q-8mjy-47ek https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2024-36611.yml 37.0.0
2025-07-03T18:53:05.617755+00:00 GitLab Importer Affected by VCID-xv9e-a7qq-63a1 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2023-46734.yml 37.0.0
2025-07-03T18:07:16.404968+00:00 GitLab Importer Affected by VCID-q9nm-2b34-yked https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2021-41267.yml 37.0.0
2025-07-03T17:59:37.824457+00:00 GitLab Importer Affected by VCID-j2sp-exnt-uubz https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/GMS-2021-130.yml 37.0.0
2025-07-03T17:59:32.342077+00:00 GitLab Importer Affected by VCID-7gzy-b9hc-zuh2 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2021-21424.yml 37.0.0
2025-07-01T18:12:17.057851+00:00 GitLab Importer Affected by VCID-q9nm-2b34-yked https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-http/CVE-2021-41267.yml 36.1.3