PT-2026-43392 · Symfony · Polyfill-Intl-Idn
CVE-2026-46644
·
Published
2026-05-26
·
Updated
2026-07-14
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N |
Name of the Vulnerable Software and Affected Versions
symfony/polyfill-intl-idn versions prior to 1.x
Description
The
Idn::process() function fails to enforce the validity criterion defined in UTS #46 revision 33 Section 4 step 4.1.2. Specifically, it does not verify that a label prefixed with xn-- contains at least one non-ASCII code point after Punycode decoding. This results in the acceptance of labels with empty Punycode payloads or those that decode only to ASCII characters, which are normally rejected by the native PHP ext-intl extension with an IDNA ERROR INVALID ACE LABEL error. This inconsistency in hostname canonicalization and comparison can lead to server-side request forgery, inconsistent URL parsing, and the bypassing of blacklists.Recommendations
Update to the patched version of the 1.x branch.
As a temporary workaround, restrict the use of the
Idn::process() function for validating or comparing hostnames until the update is applied.Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Polyfill-Intl-Idn