CVE-2024-51996

HIGH

Symfony <5.4.46, <6.4.14, <7.1.7 - Auth Bypass

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-51996. PoCs published by moften.

AI-analyzed exploit summary This exploit demonstrates an authentication bypass in Symfony applications by manipulating the REMEMBERME cookie to impersonate another user. It requires a stolen cookie and modifies the username portion to spoof a privileged account.

Description

Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. This vulnerability is fixed in 5.4.47, 6.4.15, and 7.1.8.

Exploits (1)

nomisec WORKING POC
by moften · poc
https://github.com/moften/CVE-2024-51996

This exploit demonstrates an authentication bypass in Symfony applications by manipulating the REMEMBERME cookie to impersonate another user. It requires a stolen cookie and modifies the username portion to spoof a privileged account.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Symfony (security-http component)
No auth needed
Prerequisites: A valid REMEMBERME cookie from a legitimate user · Knowledge of the target username to impersonate
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 7.5
EPSS 0.0009
EPSS Percentile 25.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-287 CWE-289
Status published
Products (4)
symfony/security-http 5.3.0 - 5.4.47Packagist
symfony/symfony >= 5.3.0, < 5.4.47
symfony/symfony >= 6.0.0-BETA1, < 6.4.15
symfony/symfony >= 7.0.0-BETA1, < 7.1.8
Published Nov 13, 2024
Tracked Since Feb 18, 2026