GHSA-r7p7-qr7p-2rrf
GitHub Security Advisory
Symfony Open Redirect
✓ GitHub Reviewed
MODERATE
Has CVE
Advisory Details
An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. `DefaultAuthenticationSuccessHandler` or `DefaultAuthenticationFailureHandler` takes the content of the `_target_path` parameter and generates a redirect response, but no check is performed on the path, which could be an absolute URL to an external domain. This Open redirect vulnerability can be exploited for example to mount effective phishing attacks.
Affected Packages
Packagist
symfony/symfony
Affected versions:
2.7.0
(fixed in 2.7.38)
Packagist
symfony/symfony
Affected versions:
2.8.0
(fixed in 2.8.31)
Packagist
symfony/symfony
Affected versions:
3.2.0
(fixed in 3.2.14)
Packagist
symfony/symfony
Affected versions:
3.3.0
(fixed in 3.3.13)
Packagist
symfony/security-http
Affected versions:
2.7.0
(fixed in 2.7.38)
Packagist
symfony/security-http
Affected versions:
2.8.0
(fixed in 2.8.31)
Packagist
symfony/security-http
Affected versions:
3.2.0
(fixed in 3.2.14)
Packagist
symfony/security-http
Affected versions:
3.3.0
(fixed in 3.3.13)
Packagist
symfony/security
Affected versions:
2.7.0
(fixed in 2.7.38)
Packagist
symfony/security
Affected versions:
2.8.0
(fixed in 2.8.31)
Packagist
symfony/security
Affected versions:
3.2.0
(fixed in 3.2.14)
Packagist
symfony/security
Affected versions:
3.3.0
(fixed in 3.3.13)
Related CVEs
Key Information
5.0
/10
Dataset
Last updated: August 31, 2025 6:33 AM
Data from GitHub Advisory Database. This information is provided for research and educational purposes.