HTTP URI Parsing Vulnerability in Symfony's http-foundation Module
CVE-2024-50345

3.1LOW

Key Information:

Vendor: Symfony
Status: Symfony
Vendor: CVE Published:; 6 November 2024

What is CVE-2024-50345?

symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The Request class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the Request class to redirect users to another domain. The Request::create methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/. This issue has been patched in versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected Version(s)

symfony < 5.4.46 < 5.4.46

symfony >= 6.0.0, < 6.4.14 < 6.0.0, 6.4.14

symfony >= 7.0.0, < 7.1.7 < 7.0.0, 7.1.7

References

https://github.com/symfony/symfony/security/advisories/GH...

x_refsource_CONFIRM

https://url.spec.whatwg.org

x_refsource_MISC

CVSS V3.1

Score:

3.1

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 6, 2024

JSON