VYPR
← All advisories
Moderate severityNVD Advisory· Published Jun 13, 2018· Updated Aug 5, 2024

CVE-2018-11386

CVE-2018-11386

Description

An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A missing SQL strict mode check in Symfony's PDOSessionHandler allows a crafted session to trigger an infinite-loop denial of service on MySQL backends.

Vulnerability

The PDOSessionHandler class in Symfony's http-foundation component (versions 2.7.0–2.7.47, 2.8.0–2.8.40, 3.3.0–3.3.16, 3.4.0–3.4.10, and 4.0.0–4.0.10) allows storing PHP sessions on a PDO connection. Under certain conditions, a specially crafted session payload causes an infinite loop, leading to a denial of service [2].

Exploitation

An attacker must: (1) identify an application using PDOSessionHandler to store sessions, (2) confirm MySQL is the backend, and (3) verify that the MySQL sql_mode does not include STRICT_ALL_TABLES or STRICT_TRANS_TABLES (e.g., by checking SELECT @@sql_mode). With those preconditions met, a well-crafted session payload sent by the attacker triggers the infinite loop [2][3]. No authentication is required; the attacker simply submits the malicious session data.

Impact

Successful exploitation causes a denial of service by consuming server resources (CPU) as the loop runs indefinitely. No data is disclosed, modified, or permanently destroyed, but the application becomes unresponsive [1][2].

Mitigation

Symfony fixed the issue in versions 2.7.48, 2.8.41, 3.3.17, 3.4.11, and 4.0.11 (also fixed before the final release of 4.1.0) [2][3]. Users are strongly advised to upgrade to a patched version. No workaround is available if upgrading is not possible; switching to a different session handler or enabling strict SQL modes might prevent exploitation but is not an official patch. Versions 3.0, 3.1, and 3.2 are end-of-life and are not patched [2][3].

References
  1. NVD - CVE-2018-11386
  2. CVE-2018-11386: Denial of service when using PDOSessionHandler
  3. CVE-2018-11386: Denial of service when using PDOSessionHandler

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
symfony/symfonyPackagist
>= 2.7.0, < 2.7.482.7.48
symfony/symfonyPackagist
>= 2.8.0, < 2.8.412.8.41
symfony/symfonyPackagist
>= 3.3.0, < 3.3.173.3.17
symfony/symfonyPackagist
>= 3.4.0, < 3.4.113.4.11
symfony/symfonyPackagist
>= 4.0.0, < 4.0.114.0.11
symfony/http-foundationPackagist
>= 2.7.0, < 2.7.482.7.48
symfony/http-foundationPackagist
>= 2.8.0, < 2.8.412.8.41
symfony/http-foundationPackagist
>= 3.3.0, < 3.3.173.3.17
symfony/http-foundationPackagist
>= 3.4.0, < 3.4.113.4.11
symfony/http-foundationPackagist
>= 4.0.0, < 4.0.114.0.11

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

13

News mentions

0

No linked articles in our index yet.