Intel

AIKIDO-2026-656715

symfony/security-core is vulnerable to Deserialization of Untrusted Data

Deserialization of Untrusted Data Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jul 1, 2026

59

Medium Risk

This Affects:

PHPsymfony/security-core
6.0.0 - 6.4.41
Fixed in 6.4.42
7.0.0 - 7.4.13
Fixed in 7.4.14
8.0.0 - 8.0.13
Fixed in 8.0.14
8.1.0 - 8.1.0
Fixed in 8.1.1
Are you affected? Scan for Free

TL;DR

Several token and exception classes in the Symfony Security Core component restore typed string properties straight from raw serialized data inside their __unserialize() methods. Because PHP coerces objects to strings during that assignment, a forged payload that places a \Stringable object in one of those slots invokes its __toString() method before any post-assignment validation runs. When an application deserializes attacker-controlled data containing one of these classes, this __toString trampoline can drive attacker-chosen gadget logic during unserialization. The fix rejects \Stringable values in the raw data before assigning any typed string property and throws an exception instead.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application deserializes attacker-controlled data that can contain these Security Core token or exception classes.

Background info

symfony/security-core is vulnerable to Deserialization of Untrusted Data in versions 6.0.0 - 6.4.41, 7.0.0 - 7.4.13, 8.0.0 - 8.0.13 and 8.1.0 - 8.1.0.

How to fix this

Upgrade the symfony/security-core and/or the symfony/symfony library to the patch version.