Symfony

By the Year

In 2025 there have been 2 vulnerabilities in Symfony with an average score of 7.3 out of ten. Last year, in 2024 Symfony had 3 security vulnerabilities published. Right now, Symfony is on track to have less security vulnerabilities in 2025 than it did last year. However, the average CVE base score of the vulnerabilities in 2025 is greater by 2.37.

Recent Symfony Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2025-64500	Nov 12, 2025	HTTP PATH Bypass in Symfony HttpFoundation Request v2.0.05.4.49/6.4.28/7.3.6 Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the `Request` class now ensures that URL paths always start with a `/`.	Symfony
CVE-2025-24374	Jan 29, 2025	Twig 3.x Template Engine Escaping Missed in ?? Operator (fixed 3.19.0) Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0.	Twig
CVE-2024-50343	Nov 06, 2024	Symfony Validator Regex Bypass in v5.4, v6.4, v7.1 symfony/validator is a module for the Symphony PHP framework which provides tools to validate values. It is possible to trick a `Validator` configured with a regular expression using the `$` metacharacters, with an input ending with `\n`. Symfony as of versions 5.4.43, 6.4.11, and 7.1.4 now uses the `D` regex modifier to match the entire input. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-50345	Nov 06, 2024	Symfony 5/6/7 URI Parsing Bypass symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/. This issue has been patched in versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-45411	Sep 09, 2024	Twig Sandbox Bypass (v <1.44.8, <2.16.1, <3.14.0) Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability is fixed in 1.44.8, 2.16.1, and 3.14.0.	Twig
CVE-2023-41336	Sep 11, 2023	ux-autocomplete EntityID Bypass JS Autocomplete, before v2.11.2 ux-autocomplete is a JavaScript Autocomplete functionality for Symfony. Under certain circumstances, an attacker could successfully submit an entity id for an `EntityType` that is *not* part of the valid choices. The problem has been fixed in `symfony/ux-autocomplete` version 2.11.2.	Ux Autocomplete
CVE-2022-39261	Sep 28, 2022	Twig is a template language for PHP Twig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.	Twig
CVE-2022-23614	Feb 04, 2022	Twig is an open source template language for PHP Twig is an open source template language for PHP. When in a sandbox mode, the `arrow` parameter of the `sort` filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code. Patched versions now disallow calling non Closure in the `sort` filter as is the case for some other filters. Users are advised to upgrade.	Twig
CVE-2019-9942	Mar 23, 2019	A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed by the security policy in place.	Twig
CVE-2018-13818	Jul 10, 2018	Twig before 2.4.4 allows Server-Side Template Injection (SSTI) via the search search_key parameter Twig before 2.4.4 allows Server-Side Template Injection (SSTI) via the search search_key parameter. NOTE: the vendor points out that Twig itself is not a web application and states that it is the responsibility of web applications using Twig to properly wrap input to it	Twig