SymfonyWorld Online 2021 Winter Edition December 9 – 10, 2021 100% Online +20 talks and workshops

CVE-2015-4050: ESI unauthorized access

Affected Versions

2.3.19 - 2.3.28, 2.4.9 - 2.4.10, 2.5.4 - 2.5.11, 2.6.0 - 2.6.7 versions of the Symfony HttpKernel component are affected by this security issue.

This issue has been fixed in Symfony 2.3.29, 2.5.12, and 2.6.8. Note that no fixes are provided for Symfony 2.4 as it's not maintained anymore. Symfony 2.7 hasn't been released yet and the fix will be included in the first stable release.


Applications with ESI or SSI support enabled, that use the FragmentListener, are vulnerable to unauthorized access. A malicious user can call any controller via the /_fragment path by providing an invalid hash in the URL (or removing it), bypassing URL signing and security rules.

FragmentListener throws an AccessDeniedHttpException in case URL is not signed correctly. However, the ExceptionListener triggers kernel events again by making a sub-request. Since the FragmentListener does no signing for sub-requests, the controller is called even though the original request was forbidden. As a result the user receives a 403 response with content generated by the controller.


The fix implements a check in the FragmentListener so it is not called in case a _controller attribute was previously set.

The patch for this issue is available here.


I would like to thank Jakub Zalas for reporting this security issue and providing a fix. Jakub also wrote the security advisory.

Manage your notification preferences to receive an email as soon as a Symfony security release is published.
If you have found a security issue in Symfony, please send the details to security [at] and don't disclose it publicly until we can provide a fix for it.
Help the Symfony project!

As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.


To clarify, your application is affected if esi support is enabled in your config.yml, but you haven't disabled the FragmentListener (framework -> fragments -> enabled: false).
I've just run security:check on v2.6.7 and got no results. Am I wrong in thinking this issue should pop up?
@Mac it has been fixed in v2.6.8 so v2.6.7 can not detect the issue.
After read again what does security:check, I think it should detect it.
PR to the security advisory was merged after this blog post was written (see security:check detects this vulnerability now.

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.