Affected versions

Symfony versions <5.4.46; >=6, <6.4.14; >=7, <7.1.7 of the Symfony Runtime component are affected by this security issue.

The issue has been fixed in Symfony 5.4.46, 6.4.14, and 7.1.7.

Description

When the register_argv_argc php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request.

Resolution

The SymfonyRuntime now ignores the argv values for non-cli SAPIs PHP runtimes

The patch for this issue is available here for branch 5.4.

Credits

We would like to thank Душейко Владимир for reporting the issue and Wouter de Jong for providing the fix.

Symfony Blog

Read More