CVE-2026-45077

Name of the Vulnerable Software and Affected Versions symfony/monolog-bridge versions prior to 5.4.52 symfony/monolog-bridge versions prior to 6.4.40 symfony/monolog-bridge versions prior to 7.4.12 symfony/monolog-bridge versions prior to 8.0.12 symfony/symfony versions prior to 5.4.52 symfony/symfony versions prior to 6.4.40 symfony/symfony versions prior to 7.4.12 symfony/symfony versions prior to 8.0.12

Description The server:log console command, implemented in SymfonyBridgeMonologCommandServerLogCommand, contains a PHP object deserialization flaw. By default, the listener binds to 0.0.0.0:9911, making it accessible on all network interfaces. The command processes incoming messages using unserialize(base64 decode($message)) without authentication, integrity checks, or a class allowlist. This allows remote attackers to send malicious serialized PHP objects. Depending on the available gadget chains in the target environment, this can lead to remote code execution or a denial of service, as sending a non-array object crashes the listener with a type error.

Recommendations Update symfony/monolog-bridge to version 5.4.52 or newer. Update symfony/monolog-bridge to version 6.4.40 or newer. Update symfony/monolog-bridge to version 7.4.12 or newer. Update symfony/monolog-bridge to version 8.0.12 or newer. Update symfony/symfony to version 5.4.52 or newer. Update symfony/symfony to version 6.4.40 or newer. Update symfony/symfony to version 7.4.12 or newer. Update symfony/symfony to version 8.0.12 or newer. As a temporary mitigation, restrict access to TCP port 9911 or avoid running the server:log command on interfaces exposed to untrusted networks.