GHSA-j8gj-9rm5-4xhx

Source

https://github.com/advisories/GHSA-j8gj-9rm5-4xhx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-j8gj-9rm5-4xhx/GHSA-j8gj-9rm5-4xhx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-j8gj-9rm5-4xhx

Aliases

CVE-2026-45074

Published

2026-05-27T21:11:59Z

Modified

2026-05-27T21:30:09.331498804Z

Severity

6.6 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

Symfony's Cas2Handler Derives CAS service URL from Client Host Header → Cross-Service Ticket Replay

Details

Cas2Handler builds this service parameter from Request::getSchemeAndHttpHost(), which reflects the attacker-controlled HTTP Host header whenever Symfony's framework.trusted_hosts setting is not configured (the default). An attacker who controls any other application registered with the same CAS server can replay a victim's ticket against the Symfony application, with a spoofed Host header, and be authenticated as that victim.

Resolution

A new required service_url configuration option is introduced on Cas2Handler. The CAS service parameter sent to the validation endpoint is now built from this configured URL instead of being derived from the request's Host header, preventing cross-service ticket replay via Host header spoofing.

The patch for this issue is available here for branch 7.4.

Credits

Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and Nicolas Grekas for providing the fix.

Database specific

{
    "cwe_ids": [
        "CWE-290"
    ],
    "github_reviewed": true,
    "nvd_published_at": null,
    "github_reviewed_at": "2026-05-27T21:11:59Z",
    "severity": "MODERATE"
}

References

Affected packages

Packagist / symfony/security-http

Package

Name: symfony/security-http
Purl: pkg:composer/symfony%2Fsecurity-http

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.1.0

Fixed

7.4.12

Affected versions

v7.*

v7.1.0

v7.1.1

v7.1.2

v7.1.3

v7.1.4

v7.1.5

v7.1.6

v7.1.7

v7.1.8

v7.1.10

v7.1.11

v7.2.0-BETA1

v7.2.0-BETA2

v7.2.0-RC1

v7.2.0

v7.2.1

v7.2.3

v7.2.4

v7.2.6

v7.2.7

v7.2.8

v7.2.9

v7.3.0-BETA1

v7.3.0-BETA2

v7.3.0-RC1

v7.3.0

v7.3.1

v7.3.2

v7.3.3

v7.3.4

v7.3.5

v7.3.8

v7.3.9

v7.3.10

v7.4.0-BETA1

v7.4.0-RC1

v7.4.0-RC2

v7.4.0

v7.4.1

v7.4.3

v7.4.4

v7.4.6

v7.4.8

v7.4.9

v7.4.11

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-j8gj-9rm5-4xhx/GHSA-j8gj-9rm5-4xhx.json"

Packagist / symfony/security-http

Package

Name: symfony/security-http
Purl: pkg:composer/symfony%2Fsecurity-http

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0

Fixed

8.0.12

Affected versions

v8.*

v8.0.0

v8.0.1

v8.0.3

v8.0.4

v8.0.6

v8.0.8

v8.0.9

v8.0.11

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-j8gj-9rm5-4xhx/GHSA-j8gj-9rm5-4xhx.json"

Packagist / symfony/symfony

Package

Name: symfony/symfony
Purl: pkg:composer/symfony%2Fsymfony

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.1.0

Fixed

7.4.12

Affected versions

v7.*

v7.1.0

v7.1.1

v7.1.2

v7.1.3

v7.1.4

v7.1.5

v7.1.6

v7.1.7

v7.1.8

v7.1.9

v7.1.10

v7.1.11

v7.2.0-BETA1

v7.2.0-BETA2

v7.2.0-RC1

v7.2.0

v7.2.1

v7.2.2

v7.2.3

v7.2.4

v7.2.5

v7.2.6

v7.2.7

v7.2.8

v7.2.9

v7.3.0-BETA1

v7.3.0-BETA2

v7.3.0-RC1

v7.3.0

v7.3.1

v7.3.2

v7.3.3

v7.3.4

v7.3.5

v7.3.6

v7.3.7

v7.3.8

v7.3.9

v7.3.10

v7.3.11

v7.4.0-BETA1

v7.4.0-BETA2

v7.4.0-RC1

v7.4.0-RC2

v7.4.0-RC3

v7.4.0

v7.4.1

v7.4.2

v7.4.3

v7.4.4

v7.4.5

v7.4.6

v7.4.7

v7.4.8

v7.4.9

v7.4.10

v7.4.11

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-j8gj-9rm5-4xhx/GHSA-j8gj-9rm5-4xhx.json"

Packagist / symfony/symfony

Package

Name: symfony/symfony
Purl: pkg:composer/symfony%2Fsymfony

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0

Fixed

8.0.12

Affected versions

v8.*

v8.0.0

v8.0.1

v8.0.2

v8.0.3

v8.0.4

v8.0.5

v8.0.6

v8.0.7

v8.0.8

v8.0.9

v8.0.10

v8.0.11

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-j8gj-9rm5-4xhx/GHSA-j8gj-9rm5-4xhx.json"