Detections
Analytics

Symfony < 5.4.51 / 6.4.x < 6.4.33 / 7.3.x < 7.3.11 / 7.4.x < 7.4.5 / 8.0.x < 8.0.5 Process Component Argument Injection (GHSA-r39x-jcww-82v6)

medium Nessus Plugin ID 298792

Synopsis

A PHP library installed on the remote host is affected by an argument injection vulnerability.

Description

The version of Symfony installed on the remote host is prior to 5.4.51, or 6.4.x prior to 6.4.33, or 7.3.x prior to 7.3.11, or 7.4.x prior to 7.4.5, or 8.0.x prior to 8.0.5. It is, therefore, affected by an argument injection vulnerability in the Process component. The Symfony Process component did not correctly treat some characters (notably '=') as special when escaping arguments on Windows. When PHP is executed from an MSYS2-based environment (e.g. Git Bash) and Symfony Process spawns native Windows executables, MSYS2's argument/path conversion can mis-handle unquoted arguments containing these characters. This can cause the spawned process to receive corrupted/truncated arguments compared to what Symfony intended. If an application uses Symfony Process to invoke file-management commands with a path argument containing '=', the MSYS2 conversion layer may alter the argument at runtime. In affected setups, this can result in operations being performed on an unintended path, up to and including deletion of the contents of a broader directory or drive.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. Also note that this plugin does not distinguish between PHP packages installed via the OS package manager, PHP packages installed via Composer, or other sources. As a result, packages provided by your OS package repository may have backported fixes that this plugin may incorrectly report as vulnerable. Please refer to the OS-specific plugins for CVE-2026-24739 to check for backported fixes.

Solution

Upgrade to Symfony version 5.4.51, 6.4.33, 7.3.11, 7.4.5, 8.0.5 or later.

See Also

http://www.nessus.org/u?40def815

https://github.com/symfony/symfony/issues/62921

Plugin Details

Severity: Medium

ID: 298792

File Name: symfony_CVE-2026-24739.nasl

Version: 1.2

Type: local

Agent: windows, macosx, unix

Family: Misc.

Published: 2/12/2026

Updated: 2/13/2026

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: Medium

Base Score: 5.6

Temporal Score: 4.4

Vector: CVSS2#AV:L/AC:H/Au:N/C:N/I:C/A:C

CVSS Score Source: CVE-2026-24739

CVSS v3

Risk Factor: Medium

Base Score: 6.3

Temporal Score: 5.7

Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:sensiolabs:symfony

Required KB Items: language_library/package/composer/enumerated

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/28/2026

Vulnerability Publication Date: 1/28/2026

Reference Information

CVE: CVE-2026-24739

IAVB: 2026-B-0029