Search for vulnerabilities
Vulnerability details: VCID-64bd-n2s2-9qcj
Vulnerability ID VCID-64bd-n2s2-9qcj
Aliases CVE-2022-24894
GHSA-h7vf-5wrv-9fhv
Summary Symfony storing cookie headers in HttpCache Description ----------- The Symfony HTTP cache system acts as a reverse proxy: it caches HTTP responses (including headers) and returns them to clients. In a recent `AbstractSessionListener` change, the response might now contain a `Set-Cookie` header. If the Symfony HTTP cache system is enabled, this header might be stored and returned to some other clients. An attacker can use this vulnerability to retrieve the victim's session. Resolution ---------- The `HttpStore` constructor now takes a parameter containing a list of private headers that are removed from the HTTP response headers. The default value for this parameter is `Set-Cookie`, but it can be overridden or extended by the application. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/d2f6322af9444ac5cd1ef3ac6f280dbef7f9d1fb) for branch 4.4. Credits ------- We would like to thank Soner Sayakci for reporting the issue and Nicolas Grekas for fixing it.
Status Published
Exploitability 0.5
Weighted Severity 7.9
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-285 Improper Authorization
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.0011 https://api.first.org/data/v1/epss?cve=CVE-2022-24894
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-h7vf-5wrv-9fhv
cvssv3.1 5.9 https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2022-24894.yaml
generic_textual MODERATE https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2022-24894.yaml
cvssv3.1 5.9 https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2022-24894.yaml
generic_textual MODERATE https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2022-24894.yaml
cvssv3.1 5.9 https://github.com/symfony/symfony
generic_textual MODERATE https://github.com/symfony/symfony
cvssv3.1 5.9 https://github.com/symfony/symfony/commit/d2f6322af9444ac5cd1ef3ac6f280dbef7f9d1fb
generic_textual MODERATE https://github.com/symfony/symfony/commit/d2f6322af9444ac5cd1ef3ac6f280dbef7f9d1fb
ssvc Track https://github.com/symfony/symfony/commit/d2f6322af9444ac5cd1ef3ac6f280dbef7f9d1fb
cvssv3.1 5.9 https://github.com/symfony/symfony/security/advisories/GHSA-h7vf-5wrv-9fhv
cvssv3.1_qr MODERATE https://github.com/symfony/symfony/security/advisories/GHSA-h7vf-5wrv-9fhv
generic_textual MODERATE https://github.com/symfony/symfony/security/advisories/GHSA-h7vf-5wrv-9fhv
ssvc Track https://github.com/symfony/symfony/security/advisories/GHSA-h7vf-5wrv-9fhv
cvssv3.1 5.9 https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html
generic_textual MODERATE https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html
ssvc Track https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html
cvssv3.1 5.9 https://nvd.nist.gov/vuln/detail/CVE-2022-24894
cvssv3.1 8.8 https://nvd.nist.gov/vuln/detail/CVE-2022-24894
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2022-24894
cvssv3.1 5.9 https://symfony.com/cve-2022-24894
generic_textual MODERATE https://symfony.com/cve-2022-24894
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2022-24894
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24894
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2022-24894.yaml
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2022-24894.yaml
https://github.com/symfony/symfony
https://github.com/symfony/symfony/commit/d2f6322af9444ac5cd1ef3ac6f280dbef7f9d1fb
https://github.com/symfony/symfony/security/advisories/GHSA-h7vf-5wrv-9fhv
https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html
https://nvd.nist.gov/vuln/detail/CVE-2022-24894
https://symfony.com/cve-2022-24894
cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
GHSA-h7vf-5wrv-9fhv https://github.com/advisories/GHSA-h7vf-5wrv-9fhv
USN-7272-1 https://usn.ubuntu.com/7272-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2022-24894.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2022-24894.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L Found at https://github.com/symfony/symfony
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L Found at https://github.com/symfony/symfony/commit/d2f6322af9444ac5cd1ef3ac6f280dbef7f9d1fb
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:29Z/ Found at https://github.com/symfony/symfony/commit/d2f6322af9444ac5cd1ef3ac6f280dbef7f9d1fb
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L Found at https://github.com/symfony/symfony/security/advisories/GHSA-h7vf-5wrv-9fhv
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:29Z/ Found at https://github.com/symfony/symfony/security/advisories/GHSA-h7vf-5wrv-9fhv
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L Found at https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T20:58:29Z/ Found at https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2022-24894
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-24894
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L Found at https://symfony.com/cve-2022-24894
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.30281
EPSS Score 0.0011
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:14:41.958814+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-h7vf-5wrv-9fhv/GHSA-h7vf-5wrv-9fhv.json 36.1.3