symfony/security-core is vulnerable to Deserialization of Untrusted Data
59
Medium Risk
Several token and exception classes in the Symfony Security Core component restore typed string properties straight from raw serialized data inside their __unserialize() methods. Because PHP coerces objects to strings during that assignment, a forged payload that places a \Stringable object in one of those slots invokes its __toString() method before any post-assignment validation runs. When an application deserializes attacker-controlled data containing one of these classes, this __toString trampoline can drive attacker-chosen gadget logic during unserialization. The fix rejects \Stringable values in the raw data before assigning any typed string property and throws an exception instead.
You are affected if you are using a version that falls within the vulnerable range and your application deserializes attacker-controlled data that can contain these Security Core token or exception classes.
symfony/security-core is vulnerable to Deserialization of Untrusted Data in versions 6.0.0 - 6.4.41, 7.0.0 - 7.4.13, 8.0.0 - 8.0.13 and 8.1.0 - 8.1.0.
Upgrade the symfony/security-core and/or the symfony/symfony library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant