Search for vulnerabilities
Vulnerability details: VCID-zry9-awfb-hqab
Vulnerability ID VCID-zry9-awfb-hqab
Aliases CVE-2014-4931
GHSA-wfv7-5x33-v22h
Summary Code injection in the way Symfony implements translation caching in FrameworkBundle When investigating issue [#11093](https://github.com/symfony/symfony/issues/11093), [Jeremy Derussé](https://connect.sensiolabs.com/profile/jderusse) found a serious code injection issue in the way Symfony implements translation caching in FrameworkBundle. - Your Symfony application is vulnerable if you meet the following conditions: - You are using the Symfony translation system from FrameworkBundle (so basically if you are using Symfony full-stack -- you are not affected if you are using the Translation component with Silex for instance); You don't sanitize locales coming from a URL (any route with a _locale argument for instance): When vulnerable, an attacker can submit a non-valid locale value that can contain some PHP code that will be executed by Symfony. That's because the locale value is dumped into a PHP file generated in the cache without being sanitized first.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-94 Improper Control of Generation of Code ('Code Injection')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-wfv7-5x33-v22h
cvssv3.1 7.5 https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/framework-bundle/CVE-2014-4931.yaml
generic_textual HIGH https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/framework-bundle/CVE-2014-4931.yaml
cvssv3.1 7.5 https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2014-4931.yaml
generic_textual HIGH https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2014-4931.yaml
cvssv3.1 7.5 https://github.com/symfony/symfony/commit/06a80fbdbe744ad6f3010479ba64ef5cf35dd9af.patch
generic_textual HIGH https://github.com/symfony/symfony/commit/06a80fbdbe744ad6f3010479ba64ef5cf35dd9af.patch
cvssv3.1 7.5 https://symfony.com/blog/security-releases-cve-2014-4931-symfony-2-3-18-2-4-8-and-2-5-2-released
generic_textual HIGH https://symfony.com/blog/security-releases-cve-2014-4931-symfony-2-3-18-2-4-8-and-2-5-2-released
Reference id Reference type URL
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/framework-bundle/CVE-2014-4931.yaml
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2014-4931.yaml
https://github.com/symfony/symfony/commit/06a80fbdbe744ad6f3010479ba64ef5cf35dd9af.patch
https://symfony.com/blog/security-releases-cve-2014-4931-symfony-2-3-18-2-4-8-and-2-5-2-released
GHSA-wfv7-5x33-v22h https://github.com/advisories/GHSA-wfv7-5x33-v22h
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/framework-bundle/CVE-2014-4931.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2014-4931.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/symfony/symfony/commit/06a80fbdbe744ad6f3010479ba64ef5cf35dd9af.patch
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://symfony.com/blog/security-releases-cve-2014-4931-symfony-2-3-18-2-4-8-and-2-5-2-released
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2025-07-01T12:11:30.002237+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-wfv7-5x33-v22h/GHSA-wfv7-5x33-v22h.json 36.1.3