Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-x8vp-gf4q-mw5j

GitHub Security Advisory

Symfony allows changing the environment through a query

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Description

When the `register_argc_argv` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request.

### Resolution

The `SymfonyRuntime` now ignores the `argv` values for non-cli SAPIs PHP runtimes

The patch for this issue is available [here](https://github.com/symfony/symfony/commit/a77b308c3f179ed7c8a8bc295f82b2d6ee3493fa) for branch 5.4.

### Credits

We would like to thank Vladimir Dusheyko for reporting the issue and Wouter de Jong for providing the fix.

Affected Packages

Packagist symfony/runtime
Affected versions: 5.3.0 (fixed in 5.4.46)
Packagist symfony/runtime
Affected versions: 6.0.0 (fixed in 6.4.14)
Packagist symfony/runtime
Affected versions: 7.0.0 (fixed in 7.1.7)
Packagist symfony/symfony
Affected versions: 5.3.0 (fixed in 5.4.46)
Packagist symfony/symfony
Affected versions: 6.0.0 (fixed in 6.4.14)
Packagist symfony/symfony
Affected versions: 7.0.0 (fixed in 7.1.7)

Related CVEs

CVE-2024-50340

Key Information

GHSA ID
GHSA-x8vp-gf4q-mw5j
Published
November 6, 2024 3:11 PM
Last Modified
November 6, 2024 11:39 PM
CVSS Score
5.0 /10
Primary Ecosystem
Packagist
Primary Package
symfony/runtime
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 12, 2025 6:34 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.