CVE-2019-11325
CRITICAL9.8EPSS 4.7%Improper Input Validation in Symfony
Published: 2/12/2020Modified: 5/27/2026
Description
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
Affected packages (3)
- Debian/symfonyfrom 0, < 4.3.8+dfsg-1
- Packagist/symfony/symfony>= 4.2.0, < 4.2.12
- Packagist/symfony/var-exporter>= 4.2.0, < 4.2.12
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-11325
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2019-11325
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-11325.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/var-exporter/CVE-2019-11325.yaml
- WEBhttps://github.com/symfony/symfony/releases/tag/v4.3.8
- WEBhttps://github.com/symfony/var-exporter/compare/d8bf442...57e00f3
- WEBhttps://symfony.com/blog/cve-2019-11325-fix-escaping-of-strings-in-varexporter
- WEBhttps://symfony.com/blog/symfony-4-3-8-released
- WEBhttps://symfony.com/cve-2019-11325