CVE-2026-45075

Name of the Vulnerable Software and Affected Versions Symfony versions prior to 7.4

Description Attributes #[IsGranted('...')], #[IsSignatureValid], and #[IsCsrfTokenValid(...)] allow the definition of a methods: [...] argument to enforce checks only for specific HTTP methods. Because the router serves HEAD requests using the GET handler, a controller protected by an attribute specifying methods: ['GET'] can be accessed via a HEAD request, causing the authorization check to be skipped. This allows the controller to execute, potentially triggering side effects such as database writes or state changes, and may leak information through response headers like Content-Length and Location.

Recommendations Update to version 7.4 or later to ensure that adding GET to the methods option automatically includes the HEAD method.