CVE-2024-50345

Name of the Vulnerable Software and Affected Versions: symfony/http-foundation versions prior to 5.4.46 symfony/http-foundation versions prior to 6.4.14 symfony/http-foundation versions prior to 7.1.7

Description: The Request class in symfony/http-foundation does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the Request class to redirect users to another domain. The issue has been patched, and users are advised to upgrade. There are no known workarounds for this issue.

Recommendations: For versions prior to 5.4.46, upgrade to version 5.4.46 or later. For versions prior to 6.4.14, upgrade to version 6.4.14 or later. For versions prior to 7.1.7, upgrade to version 7.1.7 or later. As a temporary workaround, consider validating URLs manually to ensure they do not contain invalid characters as defined by https://url.spec.whatwg.org/ until a patch is applied.