Affected versions

Symfony versions <5.4.43; >=6, <6.4.11; >=7, <7.1.4 of the Symfony Validator component are affected by this security issue.

The issue has been fixed in Symfony 5.4.43, 6.4.11, and 7.1.4.

Description

It is possible to trick a Validator configured with a regular expression using the $ metacharacters, with an input ending with \n.

Resolution

Symfony now uses the D regex modifier to match the entire input.

The patch for this issue is available here for branch 5.4.

Credits

We would like to thank Offscript for reporting the issue and Alexandre Daubois for providing the fix.

Published in #Security Advisories