Symfony Allows URI Restrictions Bypass Via Double-Encoded String

RSS Feed MODERATE

GHSA-83c3-qx27-2rwr CVE-2012-6431

Description:

On the Symfony 2.0.x version, there's a security issue that allows access to routes protected by a firewall even when the user is not logged in.

Both the Routing component and the Security component uses the path returned by getPathInfo() to match a Request. The getPathInfo() returns a decoded path, but the Routing component (Symfony\Component\Routing\Matcher\UrlMatcher) decodes the path a second time; whereas the Security component, Symfony\Component\HttpFoundation\RequestMatcher, does not.

This difference causes Symfony 2.0 to be vulnerable to double encoding attacks.

Affected Packages

Ecosystem	Package	Vulnerable Versions	Patched Version
packagist	`symfony/symfony`	`>= 2.0.0, < 2.0.19`	`2.0.19`
packagist	`symfony/security`	`>= 2.0.0, < 2.0.19`	`2.0.19`
packagist	`symfony/routing`	`>= 2.0.0, < 2.0.19`	`2.0.19`
packagist	`symfony/http-foundation`	`>= 2.0.0, < 2.0.19`	`2.0.19`

Related Dependabot Pull Requests

All Open Closed Merged

No Related Pull Requests

No Dependabot pull requests have been found that reference this security advisory.

Actions

View on GitHub All Advisories

Advisory Details

Published:	May 17, 2022 about 4 years ago
Updated:	June 07, 2026 11 days ago
EPSS:	0.22% 45th percentile
Source:	Github
Classification:	GENERAL
UUID:	`GSA_kwCzR0hTQS04M2MzLXF4MjctMnJ3cs4AAfXs`

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Dependabot