9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-36610

GHSA ID

GHSA-cg28-v4wq-whv5

EPSS Score

CWE

CWE-94

Published

11/29/2024

Updated

12/3/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-36610

CVE-2024-36610: Withdrawn Advisory: Symfony's VarDumper vulnerable to unsafe deserialization

Withdrawn Advisory

This advisory has been withdrawn because the report is not part of a valid vulnerability. This link is maintained to preserve external references. For more information, see advisory-database/pull/5048.

Original Description

A deserialization vulnerability exists in the Stub class of the VarDumper module in Symfony. The vulnerability stems from deficiencies in the original implementation when handling properties with null or uninitialized values. An attacker could construct specific serialized data and use this vulnerability to execute unauthorized code.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-36610

GHSA ID

GHSA-cg28-v4wq-whv5

EPSS Score

CWE

CWE-94

Published

11/29/2024

Updated

12/3/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
symfony/var-dumper	composer	< 6.4.4	6.4.4
symfony/var-dumper	composer	>= 7.0.0, < 7.0.4	7.0.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from how the __sleep() method in the Stub class handled property serialization. The original implementation used get_class_vars() which doesn't distinguish between uninitialized typed properties and null values. The patch introduced the NoDefault marker and ReflectionClass checks to properly track initialization states. This indicates the __sleep() method was the entry point for unsafe serialization behavior that could be exploited through crafted payloads. The high confidence comes from the direct correlation between the patched code in Stub.php and the CWE-94 (Code Injection) classification in the advisory.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Wit**r*wn **visory T*is **visory **s ***n wit**r*wn ****us* t** r*port is not p*rt o* * v*li* vuln*r**ility. T*is link is m*int*in** to pr*s*rv* *xt*rn*l r***r*n**s. *or mor* in*orm*tion, s** **visory-**t***s*/pull/****. ## Ori*in*l **s*ription *

Reasoning

T** vuln*r**ility st*mm** *rom *ow t** __sl**p() m*t*o* in t** Stu* *l*ss **n*l** prop*rty s*ri*liz*tion. T** ori*in*l impl*m*nt*tion us** **t_*l*ss_v*rs() w*i** *o*sn't *istin*uis* **tw**n uniniti*liz** typ** prop*rti*s *n* null v*lu*s. T** p*t** in

9.8

Basic Information

Concerned about an active attack path?

CVE-2024-36610: Withdrawn Advisory: Symfony's VarDumper vulnerable to unsafe deserialization

Withdrawn Advisory

Original Description

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI