CVE-2017-16652
Description
An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler takes the content of the _target_path parameter and generates a redirect response, but no check is performed on the path, which could be an absolute URL to an external domain. This Open redirect vulnerability can be exploited for example to mount effective phishing attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Symfony's authentication handlers create an open redirect via the _target_path parameter, enabling phishing attacks.
Vulnerability
In Symfony versions 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13, the DefaultAuthenticationSuccessHandler and DefaultAuthenticationFailureHandler classes use the _target_path request parameter to build a redirect response after authentication. No validation is performed to ensure the path is relative or belongs to the same domain, so an attacker can supply an absolute URL pointing to an external domain. This flaw is an open redirect vulnerability [1][2].
Exploitation
An attacker needs to craft a login URL that includes a _target_path parameter whose value is an absolute URL to an external site under their control (e.g., https://evil.com/). When a user clicks such a link and completes the Symfony authentication process, the success or failure handler will redirect the user to that external URL. The attacker does not require any special network position or authentication; user interaction (clicking the crafted link and logging in) is sufficient [1][3].
Impact
Successful exploitation allows an attacker to redirect users from a legitimate Symfony application to an arbitrary external domain. This open redirect can be leveraged for phishing campaigns, tricking users into entering credentials or sensitive information on a malicious site that appears to be the legitimate application, thereby compromising confidentiality and trust [1].
Mitigation
Symfony addressed this issue in versions 2.7.38, 2.8.31, 3.2.14, and 3.3.13. Users running affected versions should upgrade immediately to the corresponding patched release. No workaround is described in the available references [4].
- NVD - CVE-2017-16652
- security-advisories/symfony/symfony/CVE-2017-16652.yaml at master · FriendsOfPHP/security-advisories
- security-advisories/symfony/security-http/CVE-2017-16652.yaml at master · FriendsOfPHP/security-advisories
- security-advisories/symfony/security/CVE-2017-16652.yaml at master · FriendsOfPHP/security-advisories
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
symfony/symfonyPackagist | >= 2.7.0, < 2.7.38 | 2.7.38 |
symfony/symfonyPackagist | >= 2.8.0, < 2.8.31 | 2.8.31 |
symfony/symfonyPackagist | >= 3.2.0, < 3.2.14 | 3.2.14 |
symfony/symfonyPackagist | >= 3.3.0, < 3.3.13 | 3.3.13 |
symfony/security-httpPackagist | >= 2.7.0, < 2.7.38 | 2.7.38 |
symfony/security-httpPackagist | >= 2.8.0, < 2.8.31 | 2.8.31 |
symfony/security-httpPackagist | >= 3.2.0, < 3.2.14 | 3.2.14 |
symfony/security-httpPackagist | >= 3.3.0, < 3.3.13 | 3.3.13 |
symfony/securityPackagist | >= 2.7.0, < 2.7.38 | 2.7.38 |
symfony/securityPackagist | >= 2.8.0, < 2.8.31 | 2.8.31 |
symfony/securityPackagist | >= 3.2.0, < 3.2.14 | 3.2.14 |
symfony/securityPackagist | >= 3.3.0, < 3.3.13 | 3.3.13 |
Affected products
3- ghsa-coords3 versions
>= 2.7.0, < 2.7.38+ 2 more
- (no CPE)range: >= 2.7.0, < 2.7.38
- (no CPE)range: >= 2.7.0, < 2.7.38
- (no CPE)range: >= 2.7.0, < 2.7.38
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-r7p7-qr7p-2rrfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-16652ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2017-16652.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2017-16652.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2017-16652.yamlghsaWEB
- lists.debian.org/debian-lts-announce/2019/03/msg00009.htmlghsamailing-listx_refsource_MLISTWEB
- symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-security-handlersghsax_refsource_CONFIRMWEB
- symfony.com/cve-2017-16652ghsaWEB
News mentions
0No linked articles in our index yet.