Aikido Intel
Secure My Code
Intel

AIKIDO-2024-10381

symfony/form is vulnerable to Improper Neutralization of Null Byte

Improper Neutralization of Null Byte Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Oct 29, 2024

25

Low Risk

This Affects:

phpsymfony/form
2.0.0 - 5.4.37
Fixed in 5.4.38
6.0.0 - 6.4.5
Fixed in 6.4.6
7.0.0 - 7.0.5
Fixed in 7.0.6
Are you affected? Scan for Free

TL;DR

Affected versions of this package are vulnerable to null byte injection. In PHP 7, the DateTime::createFromFormat function allows null byte injection, while in PHP 8, it throws a ValueError that is not properly caught. This vulnerability can allow attackers to manipulate date and time input, potentially leading to unexpected behavior or security issues. The fix addresses this by preventing null byte injection in PHP 7.x by throwing a TransformationFailedException, ensuring proper input validation and safeguarding against such attacks.

Who does this affect?

You are affected if you are using a version which is within vulnerability ranges and you are not using PHP 8.

Background info

symfony/form is vulnerable to Improper Neutralization of Null Byte in versions 2.0.0 - 5.4.37, 6.0.0 - 6.4.5 and 7.0.0 - 7.0.5.

How to fix this

Upgrade the symfony/form library to a patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done