CVE-2024-50343

LOW

symfony/validator < 5.4.43, 6.0.0-6.4.11, 7.0.0-7.1.4 - Regular Expression Bypass via Newline Character

Title source: llm

Description

symfony/validator is a module for the Symphony PHP framework which provides tools to validate values. It is possible to trick a `Validator` configured with a regular expression using the `$` metacharacters, with an input ending with `\n`. Symfony as of versions 5.4.43, 6.4.11, and 7.1.4 now uses the `D` regex modifier to match the entire input. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References (3)

Core 3

Core References

Mailing List

https://lists.debian.org/debian-lts-announce/2025/05/msg00051.html

Vendor Advisory x_refsource_confirm

https://github.com/symfony/symfony/security/advisories/GHSA-g3rh-rrhp-jhh9

Patch x_refsource_misc

https://github.com/symfony/symfony/commit/7d1032bbead9a4229b32fa6ebca32681c80cb76f

View Patch ZIP pw:eip

Scores

CVSS v3 3.1

EPSS 0.0046

EPSS Percentile 36.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-20

Status published

Products (5)

symfony/symfony 0 - 5.4.43Packagist

symfony/symfony < 5.4.43

symfony/symfony >= 6.0.0, < 6.4.11

symfony/symfony >= 7.0.0, < 7.1.4

symfony/validator 0 - 5.4.43Packagist

Published Nov 06, 2024

Tracked Since Feb 18, 2026