If you have found a security issue in Symfony, please send the details to security [at] symfony.com and don't disclose it publicly until we can provide a fix for it.

Manage your notification preferences to receive an email as soon as a Symfony security release is published.

CVE-2019-11325: Fix escaping of strings in VarExporter

CVE-2019-11325 fixes an issue where some strings were not properly escaped while dumping, leading to possible remote code execution.

November 13, 2019 Fabien Potencier

CVE-2019-18886: Prevent user enumeration using switch user functionality

CVE-2019-18886 fixes an issue where one could enumerate users using the switch user functionality as different behaviour would occur when a user existed compared to when a user did not

November 13, 2019 Fabien Potencier

CVE-2019-18887: Use constant time comparison in UriSigner

CVE-2019-18887 fixes an issue where one could guess the signature of an URI using a remote timing attack.

November 13, 2019 Fabien Potencier

CVE-2019-18889: Forbid serializing AbstractAdapter and TagAwareAdapter instances

CVE-2019-18889 fixes an issue where the destructor of TagAwareAdapter execute callables stored in properties, leading to possible remote code execution when an external payload is unserialized.

November 13, 2019 Fabien Potencier

CVE-2019-10909: Escape validation messages in the PHP templating engine

CVE-2019-10909 fixes an issue where when using the form theme of the PHP templating engine validation messages were not correctly escaped.

April 17, 2019 Fabien Potencier

CVE-2019-10913: Reject invalid HTTP method overrides

CVE-2019-10913 ensures that HTTP Methods are sanitized for use in unescaped contexts.

April 17, 2019 Fabien Potencier

CVE-2019-10910: Check service IDs are valid

CVE-2019-10910 fixes an issue where crafted service IDs could be executed as code

April 17, 2019 Fabien Potencier

CVE-2019-10912: Prevent destructors with side-effects from being unserialized

CVE-2019-10912 fixes an issue where files could be deleted or raw output echoed when some classes were unserialized.

April 17, 2019 Fabien Potencier

CVE-2019-10911: Add a separator in the remember me cookie hash

CVE-2019-10911 fixes an issue where there was not a clear differentiation between different parts of the content of a cookie allowing for potential to authenticate as a different user in particular situations

April 17, 2019 Fabien Potencier

Twig: Sandbox Information Disclosure

Fixing a vulnerability in Twig's sandbox mode.

March 12, 2019 Fabien Potencier

CVE-2019-11325: Fix escaping of strings in VarExporter

CVE-2019-18886: Prevent user enumeration using switch user functionality

CVE-2019-18887: Use constant time comparison in UriSigner

CVE-2019-18889: Forbid serializing AbstractAdapter and TagAwareAdapter instances

CVE-2019-10909: Escape validation messages in the PHP templating engine

CVE-2019-10913: Reject invalid HTTP method overrides

CVE-2019-10910: Check service IDs are valid

CVE-2019-10912: Prevent destructors with side-effects from being unserialized

CVE-2019-10911: Add a separator in the remember me cookie hash

Twig: Sandbox Information Disclosure

What is Symfony?

Learn Symfony

Screencasts

Community

Blog

Services

Deployed on