Improper Input Validation Affecting symfony package, versions <5.4.23+dfsg-1+deb12u3


Severity

Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.04% (12th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Input Validation vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-DEBIAN12-SYMFONY-8352898
  • published8 Nov 2024
  • disclosed6 Nov 2024

Introduced: 6 Nov 2024

CVE-2024-50343  (opens in a new tab)
CWE-20  (opens in a new tab)

How to fix?

Upgrade Debian:12 symfony to version 5.4.23+dfsg-1+deb12u3 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream symfony package and not the symfony package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

symfony/validator is a module for the Symphony PHP framework which provides tools to validate values. It is possible to trick a Validator configured with a regular expression using the $ metacharacters, with an input ending with \n. Symfony as of versions 5.4.43, 6.4.11, and 7.1.4 now uses the D regex modifier to match the entire input. Users are advised to upgrade. There are no known workarounds for this vulnerability.