PHP| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|
| symfony/runtime | composer | >= 5.3.0, < 5.4.46 | 5.4.46 |
| symfony/runtime | composer | >= 6.0.0, < 6.4.14 | 6.4.14 |
| symfony/runtime | composer | >= 7.0.0, < 7.1.7 | 7.1.7 |
| symfony/symfony | composer | >= 5.3.0, < 5.4.46 | 5.4.46 |
| symfony/symfony | composer | >= 6.0.0, < 6.4.14 | 6.4.14 |
| symfony/symfony | composer | >= 7.0.0, < 7.1.7 | 7.1.7 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from SymfonyRuntime using $_SERVER['argv'] in non-CLI environments when register_argc_argv=On. The __construct method originally allowed argv processing if $_SERVER['argv'] existed, regardless of SAPI type. The getInput method lacked checks for $_GET emptiness and register_argc_argv status, letting attackers inject argv-like parameters via query strings. The patch added $_GET emptiness checks and SAPI validation, confirming these functions were the vulnerable points.
KEV Misses 88% of Exploited CVEs- Get the report
