Search for vulnerabilities
Vulnerability details: VCID-q9nm-2b34-yked
Vulnerability ID VCID-q9nm-2b34-yked
Aliases CVE-2021-41267
GHSA-q3j3-w37x-hq2q
Summary Webcache Poisoning in symfony/http-kernel Description ----------- When a Symfony application is running behind a proxy or a load-balancer, you can tell Symfony to look for the `X-Forwarded-*` HTTP headers. HTTP headers that are not part of the "trusted_headers" allowed list are ignored and protect you from "Cache poisoning" attacks. In Symfony 5.2, we've added support for the `X-Forwarded-Prefix` header, but this header was accessible in sub-requests, even if it was not part of the "trusted_headers" allowed list. An attacker could leverage this opportunity to forge requests containing a `X-Forwarded-Prefix` HTTP header, leading to a web cache poisoning issue. Resolution ---------- Symfony now ensures that the `X-Forwarded-Prefix` HTTP header is not forwarded to sub-requests when it is not trusted. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/95dcf51682029e89450aee86267e3d553aa7c487) for branch 5.3. Credits ------- We would like to thank Soner Sayakci for reporting the issue and Jérémy Derussé for fixing the issue.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00462 https://api.first.org/data/v1/epss?cve=CVE-2021-41267
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-q3j3-w37x-hq2q
cvssv3.1 6.5 https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2021-41267.yaml
generic_textual MODERATE https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2021-41267.yaml
cvssv3.1 6.5 https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2021-41267.yaml
generic_textual MODERATE https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2021-41267.yaml
cvssv3.1 6.5 https://github.com/symfony/symfony/commit/95dcf51682029e89450aee86267e3d553aa7c487
generic_textual MODERATE https://github.com/symfony/symfony/commit/95dcf51682029e89450aee86267e3d553aa7c487
cvssv3.1 6.5 https://github.com/symfony/symfony/pull/44243
generic_textual MODERATE https://github.com/symfony/symfony/pull/44243
cvssv3.1 6.5 https://github.com/symfony/symfony/releases/tag/v5.3.12
generic_textual MODERATE https://github.com/symfony/symfony/releases/tag/v5.3.12
cvssv3.1 6.5 https://github.com/symfony/symfony/security/advisories/GHSA-q3j3-w37x-hq2q
cvssv3.1_qr MODERATE https://github.com/symfony/symfony/security/advisories/GHSA-q3j3-w37x-hq2q
generic_textual MODERATE https://github.com/symfony/symfony/security/advisories/GHSA-q3j3-w37x-hq2q
cvssv3.1 6.5 https://nvd.nist.gov/vuln/detail/CVE-2021-41267
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2021-41267
cvssv3.1 6.5 https://symfony.com/cve-2021-41267
generic_textual MODERATE https://symfony.com/cve-2021-41267
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2021-41267
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2021-41267.yaml
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2021-41267.yaml
https://github.com/symfony/symfony/commit/95dcf51682029e89450aee86267e3d553aa7c487
https://github.com/symfony/symfony/pull/44243
https://github.com/symfony/symfony/releases/tag/v5.3.12
https://github.com/symfony/symfony/security/advisories/GHSA-q3j3-w37x-hq2q
https://nvd.nist.gov/vuln/detail/CVE-2021-41267
https://symfony.com/cve-2021-41267
GHSA-q3j3-w37x-hq2q https://github.com/advisories/GHSA-q3j3-w37x-hq2q
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2021-41267.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2021-41267.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://github.com/symfony/symfony/commit/95dcf51682029e89450aee86267e3d553aa7c487
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://github.com/symfony/symfony/pull/44243
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://github.com/symfony/symfony/releases/tag/v5.3.12
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://github.com/symfony/symfony/security/advisories/GHSA-q3j3-w37x-hq2q
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2021-41267
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://symfony.com/cve-2021-41267
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.63187
EPSS Score 0.00462
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:19:16.983259+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-q3j3-w37x-hq2q/GHSA-q3j3-w37x-hq2q.json 36.1.3