Search for vulnerabilities
Vulnerability details: VCID-bf8y-eqha-q3cy
Vulnerability ID VCID-bf8y-eqha-q3cy
Aliases CVE-2024-50345
GHSA-mrqx-rp3w-jpjp
Summary Symfony vulnerable to open redirect via browser-sanitized URLs ### Description The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. ### Resolution The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/ The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819) for branch 5.4. ### Credits We would like to thank Sam Mush - IPASSLab && ZGC Lab for reporting the issue and Nicolas Grekas for providing the fix.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
System Score Found at
epss 0.00078 https://api.first.org/data/v1/epss?cve=CVE-2024-50345
cvssv3.1_qr LOW https://github.com/advisories/GHSA-mrqx-rp3w-jpjp
cvssv3.1 3.1 https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2024-50345.yaml
generic_textual LOW https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2024-50345.yaml
cvssv3.1 3.1 https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50345.yaml
generic_textual LOW https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50345.yaml
cvssv3.1 3.1 https://github.com/symfony/symfony
generic_textual LOW https://github.com/symfony/symfony
cvssv3.1 3.1 https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819
generic_textual LOW https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819
cvssv3.1 3.1 https://github.com/symfony/symfony/security/advisories/GHSA-mrqx-rp3w-jpjp
cvssv3.1_qr LOW https://github.com/symfony/symfony/security/advisories/GHSA-mrqx-rp3w-jpjp
generic_textual LOW https://github.com/symfony/symfony/security/advisories/GHSA-mrqx-rp3w-jpjp
ssvc Track https://github.com/symfony/symfony/security/advisories/GHSA-mrqx-rp3w-jpjp
cvssv3.1 3.1 https://nvd.nist.gov/vuln/detail/CVE-2024-50345
generic_textual LOW https://nvd.nist.gov/vuln/detail/CVE-2024-50345
cvssv3.1 3.1 https://symfony.com/cve-2024-50345
generic_textual LOW https://symfony.com/cve-2024-50345
cvssv3.1 3.1 https://url.spec.whatwg.org
generic_textual LOW https://url.spec.whatwg.org
ssvc Track https://url.spec.whatwg.org
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2024-50345
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50345
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2024-50345.yaml
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50345.yaml
https://github.com/symfony/symfony
https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819
https://github.com/symfony/symfony/security/advisories/GHSA-mrqx-rp3w-jpjp
https://nvd.nist.gov/vuln/detail/CVE-2024-50345
https://symfony.com/cve-2024-50345
https://url.spec.whatwg.org
GHSA-mrqx-rp3w-jpjp https://github.com/advisories/GHSA-mrqx-rp3w-jpjp
USN-7272-1 https://usn.ubuntu.com/7272-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2024-50345.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50345.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/symfony/symfony
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://github.com/symfony/symfony/security/advisories/GHSA-mrqx-rp3w-jpjp
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-07T15:21:57Z/ Found at https://github.com/symfony/symfony/security/advisories/GHSA-mrqx-rp3w-jpjp
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-50345
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://symfony.com/cve-2024-50345
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://url.spec.whatwg.org
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-07T15:21:57Z/ Found at https://url.spec.whatwg.org
Exploit Prediction Scoring System (EPSS)
Percentile 0.24097
EPSS Score 0.00078
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:10:36.234311+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-mrqx-rp3w-jpjp/GHSA-mrqx-rp3w-jpjp.json 36.1.3