-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from the HTTP cache system storing responses with 'Set-Cookie' headers. The patch modifies the Store class constructor to accept private headers and adds logic in the write method to remove them. The pre-patch version of write() lacked this header removal step, making it the vulnerable function. The test case added in StoreTest.php explicitly verifies this behavior, confirming write() as the entry point for improper header storage.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| symfony/http-kernel | composer | >= 2.0.0, < 4.4.50 | 4.4.50 |
| symfony/http-kernel | composer | >= 5.0.0, < 5.4.20 | 5.4.20 |
| symfony/http-kernel | composer | >= 6.0.0, < 6.0.20 | 6.0.20 |
| symfony/http-kernel | composer | >= 6.1.0, < 6.1.12 | 6.1.12 |
| symfony/http-kernel | composer | >= 6.2.0, < 6.2.6 | 6.2.6 |
| symfony/symfony | composer | >= 2.0.0, < 4.4.50 | 4.4.50 |
| symfony/symfony | composer | >= 5.0.0, < 5.4.20 | 5.4.20 |
| symfony/symfony | composer | >= 6.0.0, < 6.0.20 | 6.0.20 |
| symfony/symfony | composer | >= 6.1.0, < 6.1.12 | 6.1.12 |
| symfony/symfony | composer | >= 6.2.0, < 6.2.6 | 6.2.6 |
PHPPHPOngoing coverage of React2Shell