Skip to content

[Aikido] Fix 4 security issues in symfony/http-foundation, symfony/mailer, symfony/mime#20

Open
aikido-autofix[bot] wants to merge 1 commit into
11.xfrom
fix/aikido-security-update-packages-56280305-gcze
Open

[Aikido] Fix 4 security issues in symfony/http-foundation, symfony/mailer, symfony/mime#20
aikido-autofix[bot] wants to merge 1 commit into
11.xfrom
fix/aikido-security-update-packages-56280305-gcze

Conversation

@aikido-autofix

Copy link
Copy Markdown

Upgrade Symfony components to fix authorization bypass via malformed PATH_INFO, command injection in SendmailTransport, and email header injection via CRLF in addresses.

✅ 4 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue Severity           Description
AIKIDO-2025-10807
MEDIUM
[symfony/http-foundation] The Request class improperly handles PATH_INFO values, allowing URLs to be represented without a leading slash. This can bypass access control mechanisms that rely on paths beginning with a forward slash.
CVE-2025-64500
MEDIUM
[symfony/http-foundation] The Request class improperly interprets PATH_INFO, allowing URLs with paths not starting with /, which can bypass access control rules relying on this prefix. This vulnerability enables security control bypass through malformed URL path handling.
AIKIDO-2026-10886
MEDIUM
[symfony/mailer] Recipient addresses beginning with a dash can be interpreted as sendmail options instead of addresses, allowing attackers to inject arbitrary command options into the sendmail binary. This vulnerability enables command injection attacks in applications using sendmail transport with -t mode.
CVE-2026-45067
MEDIUM
[symfony/mime] The Address constructor accepts email addresses with embedded CRLF characters in quoted strings, allowing injection of arbitrary mail headers and SMTP commands when the address is used in message headers or SMTP protocol lines. This enables header injection and SMTP command injection attacks.

@aikido-autofix aikido-autofix Bot added bug Something isn't working documentation Improvements or additions to documentation labels Jun 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working documentation Improvements or additions to documentation

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants