{ "canonical_id": "symfony--CVE-2020-15094", "system_id": "symfony", "display_name": "Symfony", "category": "frameworks", "advisory_mode": "core", "title": "RCE in Symfony", "summary": "Description\n-----------\n\nThe `CachingHttpClient` class from the HttpClient Symfony component relies on the `HttpCache` class to handle requests. `HttpCache` uses internal headers like `X-Body-Eval` and `X-Body-File` to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by `CachingHttpClient` and if an attacker can control the response for a request being made by the `CachingHttpClient`, remote code execution is possible.\n\nResolution\n----------\n\nHTTP headers designed for internal use in `HttpCache` are now stripped from remote responses before being passed to `HttpCache`.\n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78) for the 4.4 branch.\n\nCredits\n-------\n\nI would like to thank Matthias Pigulla (webfactory GmbH) for reporting and fixing the issue.", "published_at": "2020-09-02T17:29:56Z", "updated_at": "2026-03-13T22:14:38.594283Z", "severity": "low", "cvss_score": 3.1, "exploit_status": "unknown", "source_confidence": "official", "official_source_url": "https://github.com/symfony/symfony/security/advisories/GHSA-754h-5r27-7x3r", "secondary_source_urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2020-15094", "https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78", "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2020-15094.yaml", "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2020-15094.yaml", "https://github.com/symfony/symfony", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HNGUWOEETOFVH4PN3I3YO4QZHQ4AUKF3", "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VAQJXAKWPMWB7OL6QPG2ZSEQZYYPU5RC", "https://packagist.org/packages/symfony/http-kernel", "https://packagist.org/packages/symfony/symfony", "https://symfony.com/cve-2020-15094" ], "aliases": [ "BIT-symfony-2020-15094", "CVE-2020-15094", "GHSA-754h-5r27-7x3r" ], "cve_ids": [ "CVE-2020-15094" ], "ghsa_ids": [ "GHSA-754h-5r27-7x3r" ], "osv_ids": [ "GHSA-754h-5r27-7x3r" ], "affected_versions": [ "v4.3.0", "v4.3.1", "v4.3.10", "v4.3.11", "v4.3.2", "v4.3.3", "v4.3.4", "v4.3.5", "v4.3.6", "v4.3.7", "v4.3.8", "v4.3.9", "v4.4.0", "v4.4.0-BETA1", "v4.4.0-BETA2", "v4.4.0-RC1", "v4.4.1", "v4.4.10", "v4.4.11", "v4.4.12", "v5.0.0", "v5.0.1", "v5.0.10", "v5.0.11", "v5.0.2", "v5.0.3", "v5.0.4", "v5.0.5", "v5.0.6", "v5.0.7", "v5.0.8", "v5.0.9", "v5.1.0", "v5.1.0-BETA1", "v5.1.0-RC1", "v5.1.0-RC2", "v5.1.1", "v5.1.2", "v5.1.3", "v5.1.4", "introduced=4.3.0, fixed<4.4.13", "introduced=5.0.0, fixed<5.1.5" ], "fixed_versions": [ "4.4.13", "5.1.5" ], "package_name": "symfony/symfony", "render_markdown": true, "case_path": "07-framework-security/frameworks/symfony/cases/symfony-cve-2020-15094.md", "secure_code_topics": [ "xss-output-encoding", "authz-server-side-recheck", "path-traversal-guard" ], "status": "generated", "triage_reasons": [], "verification_status": "triage-manual", "verification_mode": "synthetic", "last_verified_at": null, "last_run_id": null, "evidence_bundle": null, "historical_status": null, "latest_status": null, "browser_evidence": { "required": false, "present": false, "refs": [] }, "repro_profile_id": "xss-generic", "artifact_mode": "synthetic", "blocked_reason": null, "metadata": { "source_names": [ "OSV Symfony" ], "source_kinds": [ "osv-batch" ], "candidate_count": 2 } }