Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-mrqx-rp3w-jpjp

GitHub Security Advisory

Symfony vulnerable to open redirect via browser-sanitized URLs

✓ GitHub Reviewed LOW Has CVE
View on GitHub

Advisory Details

### Description

The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain.

### Resolution

The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/

The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819) for branch 5.4.

### Credits

We would like to thank Sam Mush - IPASSLab && ZGC Lab for reporting the issue and Nicolas Grekas for providing the fix.

Affected Packages

Packagist symfony/http-foundation
Affected versions: 0 (fixed in 5.4.46)
Packagist symfony/http-foundation
Affected versions: 6.0.0 (fixed in 6.4.14)
Packagist symfony/http-foundation
Affected versions: 7.0.0 (fixed in 7.1.7)

Related CVEs

CVE-2024-50345

Key Information

GHSA ID
GHSA-mrqx-rp3w-jpjp
Published
November 6, 2024 3:22 PM
Last Modified
November 12, 2024 9:11 PM
CVSS Score
2.5 /10
Primary Ecosystem
Packagist
Primary Package
symfony/http-foundation
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 11, 2025 6:35 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.