Black Friday 2021 Offers 30% discount on Certification, Coaching, and SymfonyInsight Teams subscriptions

JsTranslationBundle Security Release

Andreas Forsblom reported two potential security issues on JsTranslationBundle: a path traversal attack and a code remote injection.

Indeed, the locales parameter was not validated and thus it was possible to perform the following request:


The file something.js was created in the subdirectory messages.randomstring of the cache directory, and this was a non-desired behavior. By doing this, it became possible to traverse down from the bundle's cache directory.


The request above served the following file:


Depending on the configuration of the server, it was even possible to create or overwrite files in the web directory. Filtering the locales parameter mitigates this issue as well as the remote code injection one.

It was also possible to pass JavaScript code to the locales parameter, which was then injected into the generated JS files.


The request above generated the following code:

(function (Translator) {
    Translator.fallback = 'en';
    Translator.defaultDomain = 'messages';
    // foo
uncommented code;

These two issues have been fixed in version 2.1.1. All users must upgrade to this release!

For further information, please read the release note.

Help the Symfony project!

As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.


Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.