aikido.dev Secure My Code

Intel/AIKIDO-2026-10964

AIKIDO-2026-10964

symfony/http-client is vulnerable to Server-Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF)CVE-2026-48736 Published Yesterday

65

Medium Risk

This Affects:

PHP

symfony/http-client

5.4.0 - 5.4.52

Fixed in 5.4.53

Are you affected? Scan for Free

TL;DR

The 5.4 line of symfony/http-client uses a private subnet list inside NoPrivateNetworkHttpClient to block requests to private networks. Before the fix, that list omitted IPv6 transition forms that can embed private IPv4 addresses, including 6to4, Teredo, NAT64, and IPv4-compatible literals. An attacker who can supply a URL may encode loopback or RFC1918 addresses in those forms so the decorator treats the destination as public and dispatches the request. The fix adds those transition prefixes to the blocked subnet list.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

symfony/http-client is vulnerable to Server-Side Request Forgery (SSRF) in versions 5.4.0 - 5.4.52.

How to fix this

Upgrade the symfony/http-client and/or the symfony/symfony library to the patch version.

65

Medium Risk

This Affects:

PHP

symfony/http-client

5.4.0 - 5.4.52

Fixed in 5.4.53

Are you affected? Scan for Free

Links

github.com/symfony/http-client/releases/tag/v5.4.53

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Free. No credit card required.

Aikido Platform

Company

Resources

Industries

Use Cases

Compare

Legal

Connect

hello@aikido.dev

Security

Subscribe

Stay up to date with all updates

LinkedIn YouTube X

© 2026 Aikido Security BV | BE0792914919

Keizer Karelstraat 15, 9000, Ghent, Belgium

95 Third St, 2nd Fl, San Francisco, CA 94103, US

Unit 6.15 Runway East 18 18 Crucifix Ln, London SE1 3JW UK

Ghent, Belgium | San Francisco, US

SOC 2

ISO 27001

ISO 27001Compliant

Get Security Done