CVE-2019-10913
CRITICAL9.8EPSS 0.26%Invalid HTTP method overrides allow possible XSS or other attacks in Symfony
Published: 12/2/2019Modified: 5/27/2026
Description
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to symfony/http-foundation.
Affected packages (3)
- Debian/symfonyfrom 0, < 3.4.22+dfsg-2
- Packagist/symfony/http-foundation>= 2.7.0, < 2.7.51
- Packagist/symfony/symfony>= 2.7.0, < 2.7.51
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-10913
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2019-10913
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2019-10913.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-10913.yaml
- WEBhttps://github.com/symfony/symfony/commit/944e60f083c3bffbc6a0b5112db127a10a66a8ec
- WEBhttps://symfony.com/blog/cve-2019-10913-reject-invalid-http-method-overrides
- WEBhttps://symfony.com/cve-2019-10913