VulnerableCode Package Details - pkg:composer/symfony/serializer@5.2.9

Search for packages

Vulnerability	Summary	Fixed by
VCID-mcd3-rb4z-uyfm Aliases: CVE-2021-41270 GHSA-2xhg-w2g5-w95x	Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection, also known as formula injection. In Symfony 4.1, maintainers added the opt-in `csv_escape_formulas` option in the `CsvEncoder`, to prefix all cells starting with `=`, `+`, `-` or `@` with a tab `\t`. Since then, OWASP added 2 chars in that list: Tab (0x09) and Carriage return (0x0D). This makes the previous prefix char (Tab `\t`) part of the vulnerable characters, and OWASP suggests using the single quote `'` for prefixing the value. Starting with versions 4.4.34 and 5.3.12, Symfony now follows the OWASP recommendations and uses the single quote `'` to prefix formulas and add the prefix to cells starting by `\t`, `\r` as well as `=`, `+`, `-` and `@`.	5.3.12 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 5.4.0-BETA1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-xv9e-a7qq-63a1 Aliases: CVE-2023-46734 GHSA-q847-2q57-wmr3	Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters ### Description Some Twig filters in CodeExtension use "is_safe=html" but don't actually ensure their input is safe. ### Resolution Symfony now escapes the output of the affected filters. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/9da9a145ce57e4585031ad4bee37c497353eec7c) for branch 4.4. ### Credits We would like to thank Pierre Rudloff for reporting the issue and to Nicolas Grekas for providing the fix.	5.4.31 Affected by 0 other vulnerabilities. 6.3.8 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-mcd3-rb4z-uyfm
Aliases:
CVE-2021-41270
GHSA-2xhg-w2g5-w95x

Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection, also known as formula injection. In Symfony 4.1, maintainers added the opt-in `csv_escape_formulas` option in the `CsvEncoder`, to prefix all cells starting with `=`, `+`, `-` or `@` with a tab `\t`. Since then, OWASP added 2 chars in that list: Tab (0x09) and Carriage return (0x0D). This makes the previous prefix char (Tab `\t`) part of the vulnerable characters, and OWASP suggests using the single quote `'` for prefixing the value. Starting with versions 4.4.34 and 5.3.12, Symfony now follows the OWASP recommendations and uses the single quote `'` to prefix formulas and add the prefix to cells starting by `\t`, `\r` as well as `=`, `+`, `-` and `@`.

5.3.12
Affected by 1 other vulnerability.

5.4.0-BETA1
Affected by 1 other vulnerability.

VCID-xv9e-a7qq-63a1
Aliases:
CVE-2023-46734
GHSA-q847-2q57-wmr3

Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters ### Description Some Twig filters in CodeExtension use "is_safe=html" but don't actually ensure their input is safe. ### Resolution Symfony now escapes the output of the affected filters. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/9da9a145ce57e4585031ad4bee37c497353eec7c) for branch 4.4. ### Credits We would like to thank Pierre Rudloff for reporting the issue and to Nicolas Grekas for providing the fix.

5.4.31
Affected by 0 other vulnerabilities.

6.3.8
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-03T18:53:03.549975+00:00	GitLab Importer	Affected by	VCID-xv9e-a7qq-63a1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/serializer/CVE-2023-46734.yml	37.0.0
2025-07-03T18:07:17.798182+00:00	GitLab Importer	Affected by	VCID-mcd3-rb4z-uyfm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/serializer/CVE-2021-41270.yml	37.0.0

2025-07-03T18:53:03.549975+00:00

GitLab Importer

Affected by

VCID-xv9e-a7qq-63a1

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/serializer/CVE-2023-46734.yml

37.0.0

2025-07-03T18:07:17.798182+00:00

GitLab Importer

Affected by

VCID-mcd3-rb4z-uyfm

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/serializer/CVE-2021-41270.yml

37.0.0

Next non-vulnerable version	5.4.31
Latest non-vulnerable version	6.3.8
Risk