AIKIDO-2026-11066
symfony/ux-autocomplete is vulnerable to Information Exposure
37
Low Risk
This Affects:
symfony/ux-autocompleteTL;DR
Symfony UX Autocomplete's EntitySearchUtil::addSearchClause() builds a LIKE expression by wrapping the client-supplied query in %...% without escaping the SQL LIKE wildcards %, _, and \. Because BaseEntityAutocompleteType ships with security => false and searchable_fields defaults to every property of the entity, an unauthenticated caller can submit % to match every row or use _ as a single-character wildcard, turning the public autocomplete endpoint into a broad matcher or blind boolean oracle against entity columns the application never intended to expose. The fix escapes \, %, and _ in the user-supplied query with addcslashes() and appends an explicit ESCAPE '\' clause so those characters match literally.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
symfony/ux-autocomplete is vulnerable to Information Exposure in versions 2.2.0 - 2.35.0 and 3.0.0 - 3.0.0.
How to fix this
Upgrade the symfony/ux-autocomplete library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant