symfony/http-foundation
Packagist9 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting symfony/http-foundationpage 1 of 1
- CVE-2012-6431NONECVSS 0.0EG 0.0✓ Fixed in 2.0.192012-12-27
vulnerable: 2.0.4 ... v2.0.9 (13 versions)
Symfony 2.0.x before 2.0.20 does not process URL encoded data consistently within the Routing and Security components, which allows remote attackers to bypass intended URI restrictions via a doubly encoded string.
- CVE-2013-4752MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.3.32020-01-02
vulnerable: v2.3.0, v2.3.1, v2.3.2
Symfony 2.0.X before 2.0.24, 2.1.X before 2.1.12, 2.2.X before 2.2.5, and 2.3.X before 2.3.3 have an issue in the HttpFoundation component. The Host header can be manipulated by an attacker when the framework is generating an absolute URL.…
- CVE-2018-11386MEDIUMCVSS 5.9EG 5.9✓ Fixed in 4.0.112018-06-13
vulnerable: v4.0.0 ... v4.0.9 (11 versions)
An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler class allows storing sessions on a PDO co…
- CVE-2018-14773MEDIUMCVSS 6.5EG 6.5✓ Fixed in 4.1.32018-08-03
vulnerable: v4.1.0, v4.1.1, v4.1.2
An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header t…
- CVE-2019-10913CRITICALCVSS 9.8EG 9.8✓ Fixed in 4.2.72019-05-16
vulnerable: v4.2.0 ... v4.2.6 (7 versions)
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly …
- CVE-2019-18888HIGHCVSS 7.5EG 7.5✓ Fixed in 4.3.82019-11-21
vulnerable: v4.3.0 ... v4.3.7 (8 versions)
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arb…
- CVE-2020-5255LOWCVSS 2.6EG 2.6✓ Fixed in 5.0.72020-03-30
vulnerable: v5.0.0 ... v5.0.6 (7 versions)
In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a `Content-Type` header, affected versions of Symfony can fallback to the format defined in the `Accept` header of the request, leading to a possible mismatch b…
- CVE-2024-50345LOWCVSS 3.1EG 3.1✓ Fixed in 7.1.72024-11-06
vulnerable: v7.0.0 ... v7.1.6 (14 versions)
symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an…
- CVE-2025-64500HIGHCVSS 7.3EG 7.3✓ Fixed in 5.4.502025-11-12
vulnerable: 2.0.4 ... v5.4.9 (575 versions)
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to versio…
Check whether symfony/http-foundation is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for symfony/http-foundation CVEs against the assets you own.
Start Free Scan →