GHSA-6439-2f28-8p8q

Source

https://github.com/advisories/GHSA-6439-2f28-8p8q

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-6439-2f28-8p8q/GHSA-6439-2f28-8p8q.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-6439-2f28-8p8q

Aliases

CVE-2026-45075

Published

2026-05-27T21:12:38Z

Modified

2026-05-27T21:30:09.440872204Z

Severity

6.2 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

Synfony's HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid]

Details

Description

Symfony's #[IsGranted('...')], #[IsSignatureValid], and #[IsCsrfTokenValid(...)] attributes allow you to define a methods: [...] argument to only enforce these checks for the listed HTTP methods and skip them otherwise. E.g. an attribute defining methods: ['GET'] would be ignored for a HEAD request.

On the other hand, Symfony's router (and HTTP semantics generally) serves HEAD requests using the GET handler. Therefore, a controller protected by e.g. #[IsGranted('ROLE_ADMIN', methods: ['GET'])] can be reached via HEAD with the authorization check silently skipped.

Even if the HEAD request won't get any response content, response headers leak (Content-Length, Location, custom headers). Also, the controller still executes and any side effects (DB writes, state changes) occur.

Resolution

When adding GET in the methods option of these attributes, Symfony now also include the HEAD method automatically.

The patch for this issue is available here for branch 7.4.

Credits

Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and Alexandre Daubois for fixing it.

Database specific

{
    "cwe_ids": [
        "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-27T21:12:38Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
}

References

Affected packages

Packagist

symfony/http-kernel

Package

Name: symfony/http-kernel
Purl: pkg:composer/symfony%2Fhttp-kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.4.0

Fixed

7.4.12

Affected versions

v7.*

v7.4.0

v7.4.1

v7.4.2

v7.4.3

v7.4.4

v7.4.5

v7.4.6

v7.4.7

v7.4.8

v7.4.10

v7.4.11

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-6439-2f28-8p8q/GHSA-6439-2f28-8p8q.json"

symfony/http-kernel

Package

Name: symfony/http-kernel
Purl: pkg:composer/symfony%2Fhttp-kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0

Fixed

8.0.12

Affected versions

v8.*

v8.0.0

v8.0.1

v8.0.2

v8.0.3

v8.0.4

v8.0.5

v8.0.6

v8.0.7

v8.0.8

v8.0.10

v8.0.11

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-6439-2f28-8p8q/GHSA-6439-2f28-8p8q.json"

symfony/security-http

Package

Name: symfony/security-http
Purl: pkg:composer/symfony%2Fsecurity-http

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.4.0

Fixed

7.4.12

Affected versions

v7.*

v7.4.0

v7.4.1

v7.4.3

v7.4.4

v7.4.6

v7.4.8

v7.4.9

v7.4.11

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-6439-2f28-8p8q/GHSA-6439-2f28-8p8q.json"

symfony/security-http

Package

Name: symfony/security-http
Purl: pkg:composer/symfony%2Fsecurity-http

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0

Fixed

8.0.12

Affected versions

v8.*

v8.0.0

v8.0.1

v8.0.3

v8.0.4

v8.0.6

v8.0.8

v8.0.9

v8.0.11

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-6439-2f28-8p8q/GHSA-6439-2f28-8p8q.json"

symfony/symfony

Package

Name: symfony/symfony
Purl: pkg:composer/symfony%2Fsymfony

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.4.0

Fixed

7.4.12

Affected versions

v7.*

v7.4.0

v7.4.1

v7.4.2

v7.4.3

v7.4.4

v7.4.5

v7.4.6

v7.4.7

v7.4.8

v7.4.9

v7.4.10

v7.4.11

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-6439-2f28-8p8q/GHSA-6439-2f28-8p8q.json"

symfony/symfony

Package

Name: symfony/symfony
Purl: pkg:composer/symfony%2Fsymfony

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0

Fixed

8.0.12

Affected versions

v8.*

v8.0.0

v8.0.1

v8.0.2

v8.0.3

v8.0.4

v8.0.5

v8.0.6

v8.0.7

v8.0.8

v8.0.9

v8.0.10

v8.0.11

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-6439-2f28-8p8q/GHSA-6439-2f28-8p8q.json"