Aikido Intel
Secure My Code
Intel

AIKIDO-2026-10888

symfony/monolog-bridge is vulnerable to Deserialization of Untrusted Data

Deserialization of Untrusted DataCVE-2026-45077 Published May 21, 2026

81

High Risk

This Affects:

PHPsymfony/monolog-bridge
0.0.1 - 5.4.51
Fixed in 5.4.52
6.0.0 - 6.4.39
Fixed in 6.4.40
7.0.0 - 7.4.11
Fixed in 7.4.12
8.0.0 - 8.0.11
Fixed in 8.0.12
Are you affected? Scan for Free

TL;DR

server:log listens on all interfaces by default and deserializes incoming log frames. Any host that can reach the listener can send attacker-controlled serialized PHP data without authentication. Pre-fix listeners can be crashed or exposed to object injection depending on available gadget classes. The fix binds to localhost by default and restricts deserialization to expected VarDumper classes.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

symfony/monolog-bridge is vulnerable to Deserialization of Untrusted Data in versions 0.0.1 - 5.4.51, 6.0.0 - 6.4.39, 7.0.0 - 7.4.11 and 8.0.0 - 8.0.11.

How to fix this

Upgrade the symfony/monolog-bridge and/or symfony/symfony library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done