AIKIDO-2026-10960
symfony/polyfill-intl-idn is vulnerable to Interpretation Conflict
57
Medium Risk
This Affects:
symfony/polyfill-intl-idnTL;DR
The symfony/polyfill-intl-idn library provides userland idn_to_ascii() and idn_to_utf8() when PHP lacks the intl extension. Its Idn::process() method decodes xn-- Punycode labels but previously accepted payloads that decode to an empty string or to ASCII-only text. Pre-fix, originally unequal hostnames can be treated as equal while native ext-intl rejects them, which can break hostname blacklists and URL canonicalization in downstream applications. Version 1.38.1 records IDNA_ERROR_INVALID_ACE_LABEL for those labels, matching UTS #46 revision 33 and native ext-intl behavior.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
symfony/polyfill-intl-idn is vulnerable to Interpretation Conflict in versions 1.17.1 - 1.37.0.
How to fix this
Upgrade the symfony/polyfill-intl-idn/symfony/polyfill library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant