CVE-2024-50340
published 2024-11-06CVE-2024-50340: symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php…
PriorityP270high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
EXPLOIT
EPSS
63.42%
99.1th percentile
symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. As of versions 5.4.46, 6.4.14, and 7.1.7 the `SymfonyRuntime` now ignores the `argv` values for non-SAPI PHP runtimes. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | symfony | < symfony 5.4.23+dfsg-1+deb12u3 (bookworm) | symfony 5.4.23+dfsg-1+deb12u3 (bookworm) |
| symfony | runtime | >= 5.3.0 < 5.4.46 | 5.4.46 |
| symfony | runtime | >= 5.4.46 < 5.4.52 | 5.4.52 |
| symfony | runtime | >= 6.0.0 < 6.4.14 | 6.4.14 |
| symfony | runtime | >= 6.4.14 < 6.4.40 | 6.4.40 |
| symfony | runtime | >= 7.0.0 < 7.1.7 | 7.1.7 |
| symfony | runtime | >= 7.1.7 < 7.4.12 | 7.4.12 |
| symfony | runtime | >= 8.0.0 < 8.0.12 | 8.0.12 |
| symfony | symfony | < 5.4.46 | 5.4.46 |
| symfony | symfony | — | — |
| symfony | symfony | — | — |
| symfony | symfony | >= 0 < 5.4.23+dfsg-1+deb12u3 | 5.4.23+dfsg-1+deb12u3 |
| symfony | symfony | >= 0 < 6.4.14+dfsg-1 | 6.4.14+dfsg-1 |
| symfony | symfony | >= 0 < 6.4.14+dfsg-1 | 6.4.14+dfsg-1 |
| symfony | symfony | >= 0 < 4.3.8+dfsg-1ubuntu1+esm2 | 4.3.8+dfsg-1ubuntu1+esm2 |
| symfony | symfony | >= 0 < 5.4.4+dfsg-1ubuntu8+esm1 | 5.4.4+dfsg-1ubuntu8+esm1 |
| symfony | symfony | >= 0 < 6.4.5+dfsg-3ubuntu3+esm1 | 6.4.5+dfsg-3ubuntu3+esm1 |
| symfony | symfony | >= 5.3.0 < 5.4.46 | 5.4.46 |
| symfony | symfony | >= 5.4.46 < 5.4.52 | 5.4.52 |
| symfony | symfony | >= 6.0.0 < 6.4.14 | 6.4.14 |
| symfony | symfony | >= 6.4.14 < 6.4.40 | 6.4.40 |
| symfony | symfony | >= 7.0.0 < 7.1.7 | 7.1.7 |
| symfony | symfony | >= 7.1.7 < 7.4.12 | 7.4.12 |
| symfony | symfony | >= 8.0.0 < 8.0.12 | 8.0.12 |
Detection & IOCsextracted from sources · hover to see the quote
path/_profiler/phpinfo
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Symphony PHP Symfony Profiler Environment Manipulation (CVE-2024-50340)"; flow:established,to_server; http.uri; content:"|3d|dev"; nocase; pcre:"/[\x3f\x26]\x2b\x2d{1,2}e(?:nv)?\x3ddev/i"; reference:url,github.com/Nyamort/CVE-2024-50340; reference:cve,2024-50340; classtype:web-application-attack; sid:2057414; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2024_11_13, cve CVE_2024_50340, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_11_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Exploit query string pattern: a `+--env=dev` or `+--e=dev` argument injected into any URL query string (after `?` or `&`) triggers environment manipulation. Match URI for the PCRE pattern `/[\x3f\x26]\x2b\x2d{1,2}e(?:nv)?\x3ddev/i`.
- →Probe for active exploitation by checking for HTTP 200 response to `/_profiler/phpinfo?+--env=dev` with body containing both 'PHP Extension' and 'PHP Version' — indicates the profiler is exposed in dev mode.
- →Initial fingerprinting: detect Symfony applications via response body containing 'symfony' (case-insensitive) or a `Set-Cookie: symfony` response header before probing the profiler endpoint.
- →The URI content indicator for the Snort/ET rule is the literal byte sequence `=dev` (`|3d|dev`) within the URI, combined with the injected argument prefix pattern.
- ·Vulnerability is only exploitable when the `register_argv_argc` PHP directive is set to `on`. Installations with this directive disabled are not affected. ↗
- ·The fix (ignoring `argv` values for non-SAPI PHP runtimes) is present in versions 5.4.46, 6.4.14, and 7.1.7. Debian-specific fixed versions are 5.4.23+dfsg-1+deb12u3 (bookworm) and 6.4.14+dfsg-1 (forky/sid/trixie). ↗
CVSS provenance
nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
ghsa7.3HIGH
osv8.8HIGH
vendor_debian7.3HIGH
vendor_ubuntu5.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV/APP_DEBUG via parse_str/SAPI Argv Mismatch
ghsa·2026-06-09·CVSS 7.3
CVE-2026-47767 [HIGH] CWE-20 SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV/APP_DEBUG via parse_str/SAPI Argv Mismatch
SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV/APP_DEBUG via parse_str/SAPI Argv Mismatch
### Description
CVE-2024-50340 (GHSA-x8vp-gf4q-mw5j) addressed an issue where, with `register_argc_argv=On`, a crafted query string let an unauthenticated GET change the kernel environment and debug flag by feeding `--env`/`--no-debug` through `$_SERVER['argv']`. The fix shipped in `symfony/runtime` 5.4.46 / 6.4.14 / 7.1.7 gated the argv read on `empty($_GET)` as a proxy for "is this a CLI invocation".
That proxy is unsafe: `parse_str()` (which builds `$_GET`) and the web SAPI (which builds `$_SERVER['argv']` from the raw query when `register_argc_argv=On`) do not agree on every input, so an attacker can craft a query that leaves `$_GET` empty while `$_SERVER['argv']
OSV
symfony vulnerabilities
osv·2025-02-18·CVSS 8.8
CVE-2022-24894 [HIGH] symfony vulnerabilities
symfony vulnerabilities
Soner Sayakci discovered that Symfony incorrectly handled cookie storage in
the web cache. An attacker could possibly use this issue to obtain
sensitive information and access unauthorized resources. (CVE-2022-24894)
Marco Squarcina discovered that Symfony incorrectly handled the storage of
user session information. An attacker could possibly use this issue to
perform a cross-site request forgery (CSRF) attack. (CVE-2022-24895)
Pierre Rudloff discovered that Symfony incorrectly checked HTML input. An
attacker could possibly use this issue to perform cross site scripting.
(CVE-2023-46734)
Vladimir Dusheyko discovered that Symfony incorrectly sanitized special
input with a PHP directive in URL query strings. An attacker could possibly
use this issue to expose sens
OSV
Symfony allows changing the environment through a query
osv·2024-11-06
CVE-2024-50340 [MEDIUM] Symfony allows changing the environment through a query
Symfony allows changing the environment through a query
### Description
When the `register_argc_argv` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request.
### Resolution
The `SymfonyRuntime` now ignores the `argv` values for non-cli SAPIs PHP runtimes
The patch for this issue is available [here](https://github.com/symfony/symfony/commit/a77b308c3f179ed7c8a8bc295f82b2d6ee3493fa) for branch 5.4.
### Credits
We would like to thank Vladimir Dusheyko for reporting the issue and Wouter de Jong for providing the fix.
OSV
CVE-2024-50340: symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state
osv·2024-11-06·CVSS 7.3
CVE-2024-50340 [HIGH] CVE-2024-50340: symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state
symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. As of versions 5.4.46, 6.4.14, and 7.1.7 the `SymfonyRuntime` now ignores the `argv` values for non-SAPI PHP runtimes. All users are advised to upgrade. There are no known workarounds for this vulnerability.
GHSA
Symfony allows changing the environment through a query
ghsa·2024-11-06
CVE-2024-50340 [MEDIUM] CWE-20 Symfony allows changing the environment through a query
Symfony allows changing the environment through a query
### Description
When the `register_argc_argv` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request.
### Resolution
The `SymfonyRuntime` now ignores the `argv` values for non-cli SAPIs PHP runtimes
The patch for this issue is available [here](https://github.com/symfony/symfony/commit/a77b308c3f179ed7c8a8bc295f82b2d6ee3493fa) for branch 5.4.
### Credits
We would like to thank Vladimir Dusheyko for reporting the issue and Wouter de Jong for providing the fix.
Ubuntu
Symfony vulnerabilities
vendor_ubuntu·2025-02-18·CVSS 5.9
CVE-2022-24895 [MEDIUM] Symfony vulnerabilities
Title: Symfony vulnerabilities
Summary: Several security issues were fixed in Symfony.
Soner Sayakci discovered that Symfony incorrectly handled cookie storage in
the web cache. An attacker could possibly use this issue to obtain
sensitive information and access unauthorized resources. (CVE-2022-24894)
Marco Squarcina discovered that Symfony incorrectly handled the storage of
user session information. An attacker could possibly use this issue to
perform a cross-site request forgery (CSRF) attack. (CVE-2022-24895)
Pierre Rudloff discovered that Symfony incorrectly checked HTML input. An
attacker could possibly use this issue to perform cross site scripting.
(CVE-2023-46734)
Vladimir Dusheyko discovered that Symfony incorrectly sanitized special
input with a PHP directive in URL query s
Debian
CVE-2024-50340: symfony - symfony/runtime is a module for the Symphony PHP framework which enables decoupl...
vendor_debian·2024·CVSS 7.3
CVE-2024-50340 [HIGH] CVE-2024-50340: symfony - symfony/runtime is a module for the Symphony PHP framework which enables decoupl...
symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. As of versions 5.4.46, 6.4.14, and 7.1.7 the `SymfonyRuntime` now ignores the `argv` values for non-SAPI PHP runtimes. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Scope: local
bookworm: resolved (fixed in 5.4.23+dfsg-1+deb12u3)
bullseye: resolved
forky: resolved (fixed in 6.4.14+dfsg-1)
sid: resolved (fixed in 6.4.14+dfsg-1)
trixie: resolved (fixed in 6.4.14+dfsg-1)
Suricata
ET WEB_SPECIFIC_APPS Symphony PHP Symfony Profiler Environment Manipulation (CVE-2024-50340)
suricata·2024-11-13·CVSS 7.3
CVE-2024-50340 [HIGH] ET WEB_SPECIFIC_APPS Symphony PHP Symfony Profiler Environment Manipulation (CVE-2024-50340)
ET WEB_SPECIFIC_APPS Symphony PHP Symfony Profiler Environment Manipulation (CVE-2024-50340)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Symphony PHP Symfony Profiler Environment Manipulation (CVE-2024-50340)"; flow:established,to_server; http.uri; content:"|3d|dev"; nocase; pcre:"/[\x3f\x26]\x2b\x2d{1,2}e(?:nv)?\x3ddev/i"; reference:url,github.com/Nyamort/CVE-2024-50340; reference:cve,2024-50340; classtype:web-application-attack; sid:2057414; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2024_11_13, cve CVE_2024_50340, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_11_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T
Nuclei
Symfony Profiler - Remote Access via Injected Arguments
nuclei·CVSS 7.3
CVE-2024-50340 [HIGH] Symfony Profiler - Remote Access via Injected Arguments
Symfony Profiler - Remote Access via Injected Arguments
symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. As of versions 5.4.46, 6.4.14, and 7.1.7 the `SymfonyRuntime` now ignores the `argv` values for non-SAPI PHP runtimes.
Template:
id: CVE-2024-50340
info:
name: Symfony Profiler - Remote Access via Injected Arguments
author: DhiyaneshDK
severity: high
description: |
symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `reg
No writeups or analysis indexed.
2024-11-06
Published