CVE-2014-5245: Direct access of ESI URLs behind a trusted proxy

Affected Versions

All 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony HttpKernel component are affected by this security issue. Your application is vulnerable only if the ESI feature is enabled and there is a proxy in front of the web application.

This issue has been fixed in Symfony 2.3.19, 2.4.9, and 2.5.4. Note that no fixes are provided for Symfony 2.2 as it is not maintained anymore.


When you enable the ESI feature and when you are using a proxy like Varnish that you configured as a trusted proxy, the FragmentHandler considered requests to render fragments as coming from a trusted source, even if the client was requesting them directly. Symfony can not distinguish between ESI requests done on behalf of the client by Varnish and faked fragment requests coming directly from the client.

To mitigate this issue, and for not-supported Symfony versions, you can use the following workaround in your Varnish configuration (/_fragment being the URL path prefix configured under the fragment setting of the framework bundle configuration):

sub vcl_recv {
    if (req.restarts == 0 && req.url ~ "^/_fragment") {
        error 400;


We do not rely on trusted IPs anymore when validating a fragment request as all fragment URLs are now signed.

The patch for this issue is available here:


I would like to thank Cédric Nirousset, Trent Steel, and Christophe Coevoet for reporting this security issue, Christophe Coevoet for providing the patch, and David Buchmann for helping writing this blog post.

Manage your notification preferences to receive an email as soon as a Symfony security release is published.
If you have found a security issue in Symfony, please send the details to security [at] and don't disclose it publicly until we can provide a fix for it.
Help the Symfony project!

As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.

CVE-2014-5245: Direct access of ESI URLs behind a trusted proxy

Tweet this


Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.