Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-50340Injection in Symfony

CWE-74InjectionCWE-20Improper Input Validation9 documents7 sources
Severity
7.3HIGHNVD
OSV8.8
EPSS
85.6%
top 0.62%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
3
SymfonySymfony RuntimeDebian Symfony
Timeline
PublishedNov 6
Latest updateFeb 18

Description

symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. As of versions 5.4.46, 6.4.14, and 7.1.7 the `SymfonyRuntime` now ignores the `argv` values for non-SAPI PHP runtimes. All users are advised to upgrade. There

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.4

Affected Packages6 packages

Packagistsymfony/runtime5.3.05.4.46+2
debiandebian/symfony< symfony 5.4.23+dfsg-1+deb12u3 (bookworm)
CVEListV5symfony/symfony< 5.4.46+2
Packagistsymfony/symfony5.3.05.4.46+2
Debiansymfony/symfony< 5.4.23+dfsg-1+deb12u3+2

🔴Vulnerability Details

4
OSV
symfony vulnerabilities2025-02-18
OSV
Symfony allows changing the environment through a query2024-11-06
OSV
CVE-2024-50340: symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state2024-11-06
GHSA
Symfony allows changing the environment through a query2024-11-06

💥Exploits & PoCs

1
Nuclei
Symfony Profiler - Remote Access via Injected Arguments

🔍Detection Rules

1
Suricata
ET WEB_SPECIFIC_APPS Symphony PHP Symfony Profiler Environment Manipulation (CVE-2024-50340)2024-11-13

📋Vendor Advisories

2
Ubuntu
Symfony vulnerabilities2025-02-18
Debian
CVE-2024-50340: symfony - symfony/runtime is a module for the Symphony PHP framework which enables decoupl...2024