Affected versions

Symfony versions <5.4.46; >=6, <6.4.14; >=7, <7.1.7 of the Symfony Runtime component are affected by this security issue.

The issue has been fixed in Symfony 5.4.46, 6.4.14, and 7.1.7.

Description

When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request.

Resolution

The SymfonyRuntime now ignores the argv values for non-cli SAPIs PHP runtimes

The patch for this issue is available here for branch 5.4.

Credits

We would like to thank Vladimir Dusheyko for reporting the issue and Wouter de Jong for providing the fix.

Published in #Security Advisories