Security Issues

Edit this page

Warning: You are browsing the documentation for Symfony 2.0, which is no longer maintained.

Read the updated version of this page for Symfony 6.1 (the current stable version).

Security Issues

This document explains how Symfony security issues are handled by the Symfony core team (Symfony being the code hosted on the main symfony/symfony Git repository).

Reporting a Security Issue

If you think that you have found a security issue in Symfony, don't use the mailing-list or the bug tracker and don't publish it publicly. Instead, all security issues must be sent to security [at] Emails sent to this address are forwarded to the Symfony core-team private mailing-list.

Resolving Process

For each report, we first try to confirm the vulnerability. When it is confirmed, the core-team works on a solution following these steps:

  1. Send an acknowledgement to the reporter;
  2. Work on a patch;
  3. Get a CVE identifier from;
  4. Write a security announcement for the official Symfony blog about the vulnerability. This post should contain the following information:

    • a title that always include the "Security release" string;
    • a description of the vulnerability;
    • the affected versions;
    • the possible exploits;
    • how to patch/upgrade/workaround affected applications;
    • the CVE identifier;
    • credits.
  5. Send the patch and the announcement to the reporter for review;
  6. Apply the patch to all maintained versions of Symfony;
  7. Package new versions for all affected versions;
  8. Publish the post on the official Symfony blog (it must also be added to the "`Security Advisories`_" category);
  9. Update the security advisory list (see below).


Releases that include security issues should not be done on Saturday or Sunday, except if the vulnerability has been publicly posted.


While we are working on a patch, please do not reveal the issue publicly.

This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.