Symfony 2.0.11 has just been released and it contains a security vulnerability fix for the Serializer Component. If you are using the Serializer component, you should upgrade as soon as possible.

The security vulnerability has been reported this morning by Sense of Security:

"The XMLEncoder component of Symfony 2.0.x fails to disable external entities when parsing XML. In the Symfony2 framework the XML class may be used to deserialize objects or as part of a client/server API. By using external entities it is possible to include arbitrary files from the file system."

They have also provided a possible exploit example:

$serializer = new Serializer(array(), array(
    'xml' => new \Symfony\Component\Serializer\Encoder\XmlEncoder()

$x = $serializer->decode('<?xml version="1.0"?><!DOCTYPE scan


In this case, $x will now contain a copy of /etc/passwd in base64 encoded form.

The vulnerability has been fixed today by Jordi Boggiano and we are releasing Symfony 2.0.11 tonight to ensure an easy upgrade path for everybody. If you cannot upgrade to 2.0.11, please at least apply the appropriate patch as soon as possible.

The 2.0.11 release also contains some other minor bug fixes. As always, the CHANGELOG has all the details about the changes done in this release and you can also have a look at the full diff.

If you are starting a new project, you can get the Symfony Standard Edition distribution on the download page.

If you already have a project based on the Symfony Standard Edition 2.0.x, you can easily upgrade to 2.0.11 by getting the new deps and deps.lock files.

Then, run the vendors script (it also clears your cache):

$ ./bin/vendors install

Remember that the Symfony2 Components are also available as standalone libraries. You can get them via their dedicated read-only repositories on Github ( for instance), install them via PEAR (pear install symfony2/Finder), or even install them via Composer.