CVE-2020-5255
LOW2.6EPSS 0.37%Prevent cache poisoning via a Response Content-Type header in Symfony
Published: 3/30/2020Modified: 5/27/2026
Description
In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a `Content-Type` header, affected versions of Symfony can fallback to the format defined in the `Accept` header of the request, leading to a possible mismatch between the response's content and `Content-Type` header. When the response is cached, this can prevent the use of the website by other users. This has been patched in versions 4.4.7 and 5.0.7.
Affected packages (4)
- Bitnami/symfony>= 4.4.0, < 4.4.7, >= 5.0.0, < 5.0.7
- Debian/symfonyfrom 0, < 4.4.8-1
- Packagist/symfony/http-foundation>= 4.4.0, < 4.4.7
- Packagist/symfony/symfony>= 4.4.0, < 4.4.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW2.6 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L |
References (10)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-5255
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2020-5255
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2020-5255.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2020-5255.yaml
- WEBhttps://github.com/symfony/symfony/commit/dca343442e6a954f96a2609e7b4e9c21ed6d74e6
- WEBhttps://github.com/symfony/symfony/security/advisories/GHSA-mcx4-f5f5-4859
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C36JLPHUPKDFAX6D5WYFC4ALO2K7RDUQ/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/C36JLPHUPKDFAX6D5WYFC4ALO2K7RDUQ
- WEBhttps://symfony.com/blog/cve-2020-5255-prevent-cache-poisoning-via-a-response-content-type-header
- WEBhttps://symfony.com/cve-2020-5255