CVE-2026-45071
Symfony has XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true
Description
### Description `symfony/dom-crawler` provides the `Crawler` class for navigating HTML/XML documents with CSS/XPath selectors; `symfony/browser-kit`'s `HttpBrowser` uses it to parse fetched pages. `Crawler::addXmlContent()` sets `DOMDocument::$validateOnParse = true` before calling `loadXML()`. Setting `validateOnParse` re-enables libxml's DTD subset processing, including external entity resolution, even though `LIBXML_NONET` is passed. `LIBXML_NONET` blocks **network** fetches but not `file://` entities. An attacker-supplied XML document with a `SYSTEM "file:///etc/passwd"` entity is therefore expanded. ### Resolution The `Crawler::addXmlContent` method does not set the `validateOnParse` flag anymore. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/eea5fd7488cbdc241da4ce242344b7d9a3ecdf3d) for branch 5.4. ### Credits Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
Affected packages (3)
- Debian/symfonyfrom 0
- Packagist/symfony/dom-crawlerfrom 0, < 5.4.52
- Packagist/symfony/symfonyfrom 0, < 5.4.52
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U |
References (7)
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-45071
- PATCHhttps://github.com/symfony/symfony
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/dom-crawler/CVE-2026-45071.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45071.yaml
- WEBhttps://github.com/symfony/symfony/commit/eea5fd7488cbdc241da4ce242344b7d9a3ecdf3d
- WEBhttps://github.com/symfony/symfony/security/advisories/GHSA-x6g4-fwcc-jj8w
- WEBhttps://symfony.com/cve-2026-45071