-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from unsanitized locale values being used in PHP code generation for translation caching. The key function is loadCatalogue in FrameworkBundle's Translator, which constructed PHP class names from raw locale values. The pre-patch code used simple string replacement (str_replace) instead of proper sanitization (preg_replace), allowing code injection. Additionally, the lack of locale validation in Translator's constructor and setLocale method allowed malicious locales to reach the vulnerable code path. The commit diff shows added locale validation (assertValidLocale) and sanitization, confirming these functions were the attack surface.
PHPPHP| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| symfony/framework-bundle | composer | >= 2.0.0, < 2.3.18 | 2.3.18 |
| symfony/framework-bundle | composer | >= 2.4.0, < 2.4.8 | 2.4.8 |
| symfony/framework-bundle | composer | >= 2.5.0, < 2.5.2 | 2.5.2 |
| symfony/symfony | composer | >= 2.0.0, < 2.3.19 | 2.3.19 |
| symfony/symfony | composer | >= 2.4.0, < 2.4.9 | 2.4.9 |
| symfony/symfony | composer | >= 2.5.0, < 2.5.4 | 2.5.4 |
KEV Misses 88% of Exploited CVEs- Get the report