Description
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to symfony/http-foundation.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://symfony.com/blog/cve-2019-10913-reject-invalid-http-method-overrides
Patch, Third Party Advisory x_refsource_confirm
https://github.com/symfony/symfony/commit/944e60f083c3bffbc6a0b5112db127a10a66a8ec
Scores
CVSS v3
9.8
EPSS
0.0026
EPSS Percentile
49.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-79
CWE-89
Status
published
Products (3)
sensiolabs/symfony
2.7.0 - 2.7.51
symfony/http-foundation
2.7.0 - 2.7.51Packagist
symfony/symfony
2.7.0 - 2.7.51Packagist
Published
May 16, 2019
Tracked Since
Feb 18, 2026