Symfony vulnerable to open redirect via browser-sanitized URLs
Package
Affected versions
< 5.4.46
>= 6.0.0, < 6.4.14
>= 7.0.0, < 7.1.7
Patched versions
5.4.46
6.4.14
7.1.7
Description
Published to the GitHub Advisory Database
Nov 6, 2024
Reviewed
Nov 6, 2024
Published by the National Vulnerability Database
Nov 6, 2024
Last updated
Nov 12, 2024
Description
The
Request
class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on theRequest
class to redirect users to another domain.Resolution
The
Request::create
methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/The patch for this issue is available here for branch 5.4.
Credits
We would like to thank Sam Mush - IPASSLab && ZGC Lab for reporting the issue and Nicolas Grekas for providing the fix.
References