Symfony Validator Vulnerability: Tricking Validators with `$` Metacharacters
CVE-2024-50343

3.1LOW

Key Information:

Vendor: Symfony
Status: Symfony
Vendor: CVE Published:; 6 November 2024

What is CVE-2024-50343?

symfony/validator is a module for the Symphony PHP framework which provides tools to validate values. It is possible to trick a Validator configured with a regular expression using the $ metacharacters, with an input ending with \n. Symfony as of versions 5.4.43, 6.4.11, and 7.1.4 now uses the D regex modifier to match the entire input. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected Version(s)

symfony < 5.4.43 < 5.4.43

symfony >= 6.0.0, < 6.4.11 < 6.0.0, 6.4.11

symfony >= 7.0.0, < 7.1.4 < 7.0.0, 7.1.4

References

https://github.com/symfony/symfony/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/symfony/symfony/commit/7d1032bbead9a42...

x_refsource_MISC

CVSS V3.1

Score:

3.1

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 6, 2024

JSON