Improper Input Validation Affecting symfony/http-foundation package, versions >=4.2.0, <4.2.7


0.0
medium

Snyk CVSS

    Attack Complexity Low

    Threat Intelligence

    EPSS 0.17% (54th percentile)
Expand this section
NVD
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PHP-SYMFONYHTTPFOUNDATION-174501
  • published 24 Apr 2019
  • disclosed 24 Apr 2019
  • credit mschop

How to fix?

Upgrade symfony/http-foundation to version 4.2.7 or higher.

Overview

symfony/http-foundation is a component defines an object-oriented layer for the HTTP specification.

Affected versions of this package are vulnerable to Improper Input Validation. The function getMethod() did not validate or escape the X-HTTP-Method-Override header or the HTTP method itself. This could result in those input being returned in dangerous contexts under certain circumstances.