CVE-2013-4752
Description
Symfony 2.0.X before 2.0.24, 2.1.X before 2.1.12, 2.2.X before 2.2.5, and 2.3.X before 2.3.3 have an issue in the HttpFoundation component. The Host header can be manipulated by an attacker when the framework is generating an absolute URL. A remote attacker could exploit this vulnerability to inject malicious content into the Web application page and conduct various attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Symfony 2.x HttpFoundation component allows Host header poisoning, enabling attackers to inject malicious content into generated absolute URLs.
Vulnerability
The Symfony HttpFoundation component's Request::getHost() method trusts the $_SERVER['HOST'] value, which is derived from the user-supplied Host header. Since this input is not sanitized, an attacker can manipulate the Host header to inject arbitrary values [2].
Exploitation
When the framework generates an absolute URL (e.g., in password reset emails), it uses the host value from getHost(). An attacker can supply a malicious Host header, causing the generated URL to point to an attacker-controlled domain or include malicious content. The exploitability depends on server configuration (e.g., reverse proxy setup) [2][4].
Impact
The attacker can inject malicious content into web application pages, leading to phishing, cache poisoning, or other attacks that rely on URL manipulation [1][2][4].
Mitigation
Symfony released patched versions: 2.0.24, 2.1.12, 2.2.5, and 2.3.3. Users are advised to upgrade to these or later versions [2][3]. No workaround is provided; upgrading is the recommended fix.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
symfony/symfonyPackagist | >= 2.0.0, < 2.0.24 | 2.0.24 |
symfony/symfonyPackagist | >= 2.1.0, < 2.1.12 | 2.1.12 |
symfony/symfonyPackagist | >= 2.2.0, < 2.2.5 | 2.2.5 |
symfony/symfonyPackagist | >= 2.3.0, < 2.3.3 | 2.3.3 |
symfony/http-foundationPackagist | >= 2.0.0, < 2.0.24 | 2.0.24 |
symfony/http-foundationPackagist | >= 2.1.0, < 2.1.12 | 2.1.12 |
symfony/http-foundationPackagist | >= 2.2.0, < 2.2.5 | 2.2.5 |
symfony/http-foundationPackagist | >= 2.3.0, < 2.3.3 | 2.3.3 |
Affected products
3- Symfony/Symfonydescription
- ghsa-coords2 versions
>= 2.0.0, < 2.0.24+ 1 more
- (no CPE)range: >= 2.0.0, < 2.0.24
- (no CPE)range: >= 2.0.0, < 2.0.24
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
21- github.com/advisories/GHSA-22pv-7v9j-hqxpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-4752ghsaADVISORY
- lists.fedoraproject.org/pipermail/package-announce/2013-August/114450.htmlghsax_refsource_MISCWEB
- lists.fedoraproject.org/pipermail/package-announce/2013-August/114461.htmlghsax_refsource_MISCWEB
- symfony.com/blog/security-releases-symfony-2-0-24-2-1-12-2-2-5-and-2-3-3-releasedghsax_refsource_CONFIRMWEB
- www.securityfocus.com/bid/61715mitrex_refsource_MISC
- bugzilla.redhat.com/show_bug.cgighsax_refsource_MISCWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/86365ghsax_refsource_MISCWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/86366ghsax_refsource_MISCWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/86367ghsax_refsource_MISCWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/86368ghsax_refsource_MISCWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/86369ghsax_refsource_MISCWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/86370ghsax_refsource_MISCWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/86371ghsax_refsource_MISCWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/86372ghsax_refsource_MISCWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/86373ghsax_refsource_MISCWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/86374ghsax_refsource_MISCWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2013-4752.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2013-4752.yamlghsaWEB
- symfony.com/blog/security-releases-symfony-2-0-24-2-1-12-2-2-5-and-2-3-3-releasedghsaWEB
- web.archive.org/web/20130901060826/http://www.securityfocus.com/bid/61715ghsaWEB
News mentions
0No linked articles in our index yet.