AIKIDO-2026-10961
symfony/string is vulnerable to Deserialization of Untrusted Data
75
High Risk
This Affects:
symfony/stringTL;DR
Symfony UnicodeString restores internal string state through __unserialize when a serialized UnicodeString object is decoded. Before the fix, assigning attacker-controlled values from the serialized array into the typed string property let PHP coerce Stringable objects via __toString before the post-assignment type check ran. A crafted serialized UnicodeString payload could therefore invoke attacker-chosen __toString logic during unserialize and contribute to a broader object-injection chain when applications pass untrusted serialized data to PHP unserialize. The fix rejects Stringable objects in the raw serialized data before any assignment to the string property.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
symfony/string is vulnerable to Deserialization of Untrusted Data in versions 7.4.0 - 7.4.11 and 8.0.0 - 8.0.11.
How to fix this
Upgrade the symfony/string and/or the symfony/symfony library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant