7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2014-5244

GHSA ID

GHSA-v77v-x634-9m56

EPSS Score

CWE

CWE-1333

Published

5/30/2024

Updated

5/30/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2014-5244

CVE-2014-5244: Symfony vulnerable to denial of service via a malicious HTTP Host header

All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony HttpFoundation component are affected by this security issue.

This issue has been fixed in Symfony 2.3.19, 2.4.9, and 2.5.4. Note that no fixes are provided for Symfony 2.0, 2.1, and 2.2 as they are not maintained anymore.

Description When an arbitrarily long hostname is sent by a client, its parsing in Request::getHost() can lead to a DoS attack, due to the way we validate the hostname via a regular expression.

Resolution The regular expression used to parse and validate the hostname from the HTTP request has been modified to avoid too much sensitivity to the submitted value length.

The patch for this issue is available here: https://github.com/symfony/symfony/pull/11828

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2014-5244

GHSA ID

GHSA-v77v-x634-9m56

EPSS Score

CWE

CWE-1333

Published

5/30/2024

Updated

5/30/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
symfony/http-foundation	composer	>= 2.0.0, < 2.3.19	2.3.19
symfony/http-foundation	composer	>= 2.4.0, < 2.4.9	2.4.9
symfony/http-foundation	composer	>= 2.5.0, < 2.5.4	2.5.4
symfony/symfony	composer	>= 2.0.0, < 2.3.19	2.3.19
symfony/symfony	composer	>= 2.4.0, < 2.4.9	2.4.9
symfony/symfony	composer	>= 2.5.0, < 2.5.4	2.5.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems directly from Request::getHost()'s host validation implementation. Multiple sources confirm: 1) The advisory explicitly mentions this method as the attack vector 2) The patch modifies host validation regex in HttpFoundation 3) Commit 5506ee8 titled 'Fix potential DoS when parsing HOST' targets this functionality 4) CWE-1333 specifically describes regex inefficiency vulnerabilities. The function's role in parsing untrusted Host headers using a vulnerable regex makes it the clear entry point for this DoS attack.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll *.*.X, *.*.X, *.*.X, *.*.X, *.*.X, *n* *.*.X v*rsions o* t** Sym*ony *ttp*oun**tion *ompon*nt *r* *****t** *y t*is s**urity issu*. T*is issu* **s ***n *ix** in Sym*ony *.*.**, *.*.*, *n* *.*.*. Not* t**t no *ix*s *r* provi*** *or Sym*ony *.*, *.

Reasoning

T** vuln*r**ility st*ms *ir**tly *rom `R*qu*st::**t*ost()`'s *ost v*li**tion impl*m*nt*tion. Multipl* sour**s *on*irm: *) T** **visory *xpli*itly m*ntions t*is m*t*o* *s t** *tt**k v**tor *) T** p*t** mo*i*i*s *ost v*li**tion r***x in `*ttp*oun**tion

7.5

Basic Information

Concerned about an active attack path?

CVE-2014-5244: Symfony vulnerable to denial of service via a malicious HTTP Host header

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI