Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-cg23-qf8f-62rr

GitHub Security Advisory

Symfony has an Authentication Bypass via RememberMe

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

### Description

When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass.

### Resolution

The `PersistentRememberMeHandler` class now ensures the submitted username is the cookie owner.

The patch for this issue is available [here](https://github.com/symfony/symfony/commit/81354d392c5f0b7a52bcbd729d6f82501e94135a) for branch 5.4.

### Credits

We would like to thank Moritz Rauch - Pentryx AG for reporting the issue and Jérémy Derussé for providing the fix.

Affected Packages

Packagist symfony/security-http
Affected versions: 5.3.0 (fixed in 5.4.47)
Packagist symfony/security-http
Affected versions: 6.0.0-BETA1 (fixed in 6.4.15)
Packagist symfony/security-http
Affected versions: 7.0.0-BETA1 (fixed in 7.1.8)

Related CVEs

CVE-2024-51996

Key Information

GHSA ID
GHSA-cg23-qf8f-62rr
Published
November 13, 2024 6:29 PM
Last Modified
November 14, 2024 11:55 PM
CVSS Score
7.5 /10
Primary Ecosystem
Packagist
Primary Package
symfony/security-http
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 13, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.