Polyfill 1.38.1 is a security release that fixes a vulnerability in
symfony/polyfill-intl-idn. All users of this polyfill (directly or
through symfony/polyfill) should upgrade as soon as possible. The
release also bundles a handful of correctness fixes for the Mbstring,
Grapheme, and cURL/MySQL constant polyfills.
Security fix
CVE-2026-46644 (medium): the IDN
polyfill accepted xn-- labels whose Punycode payload was empty or
decoded to ASCII-only code points (e.g. xn--kc1zs4-), while PHP's
native ext-intl correctly rejects them with
IDNA_ERROR_INVALID_ACE_LABEL per UTS #46 revision 33. Because of
that, two originally distinct domain names could canonicalize to the
same value through the polyfill, which can lead to blacklist bypasses,
inconsistent URL parsing, and server-side request forgery (similar to
CVE-2024-12224).
Applications that compared or normalized hostnames via idn_to_ascii()
or idn_to_utf8() on runtimes without the intl extension were
exposed; upgrading to 1.38.1 aligns the polyfill with the native
behavior.
Notable bug fixes
A few cross-version correctness fixes ship alongside the security patch:
Mbstring(PHP 8.3/8.4): PHP 7-specificmb_*declarations are now isolated intobootstrap72.phpso they no longer leak into newer runtimes.Grapheme:grapheme_str_split()now works on systems still using PCRE 8.Mbstring(PHP 7.4 path): newline handling inmb_str_split()now matches the native behavior.- Additional cURL constants are polyfilled, and several MySQL constants are now defined with the correct values.
Full Changelog
- CVE-2026-46644 [Intl][Idn] Reject xn-- labels whose Punycode payload decodes to ASCII-only (@nicolas-grekas)
- #619 [Mbstring][Php83][Php84] Isolate PHP 7
mb_*declarations into bootstrap72.php (@nicolas-grekas) - #617 Polyfill more cURL constants (@GPHemsley)
- #618 fix: Correctly define MySQL constants (@mitelg)
- #616 Fix grapheme_str_split() on PCRE 8 (@GPHemsley)
- #615 Fix newline handling in Php74 implementation of mb_str_split() (@GPHemsley)