CVE-2026-24739

Name of the Vulnerable Software and Affected Versions Symfony versions prior to 5.4.51 Symfony versions prior to 6.4.33 Symfony versions prior to 7.3.11 Symfony versions prior to 7.4.5 Symfony versions prior to 8.0.5

Description The Symfony Process component did not properly handle certain characters, specifically =, when escaping arguments on Windows systems. When running PHP from an MSYS2-based environment like Git Bash and spawning native Windows executables, the MSYS2 argument/path conversion can incorrectly handle unquoted arguments containing these characters. This can lead to spawned processes receiving corrupted or truncated arguments, deviating from the intended behavior of Symfony. If an application utilizes Symfony Process to invoke file-management commands (e.g., rmdir, del) with a path argument containing =, the MSYS2 conversion layer may alter the argument during runtime. This can result in operations being performed on an unintended path, potentially including the deletion of files or directories. The issue is particularly relevant when untrusted input influences process arguments, such as repository paths, extracted archive paths, temporary directories, or user-controlled configuration.

Recommendations Versions prior to 5.4.51 should be updated to version 5.4.51 or later. Versions prior to 6.4.33 should be updated to version 6.4.33 or later. Versions prior to 7.3.11 should be updated to version 7.3.11 or later. Versions prior to 7.4.5 should be updated to version 7.4.5 or later. Versions prior to 8.0.5 should be updated to version 8.0.5 or later. Avoid running PHP or related tooling from MSYS2-based shells on Windows; prefer using cmd.exe or PowerShell for workflows that spawn native executables. Avoid passing paths containing = to Symfony Process when operating under Git Bash/MSYS2.