CVE-2018-14773
Description
An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects \Symfony\Component\HttpFoundation\Request::prepareRequestUri() where X-Original-URL and X_REWRITE_URL are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Symfony's HttpFoundation component trusts the X-Original-URL and X-Rewrite-URL IIS headers without verifying the server is IIS, enabling request URL spoofing and cache poisoning.
Vulnerability
The Http Foundation component in Symfony versions 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2 contains a vulnerability in \Symfony\Component\HttpFoundation\Request::prepareRequestUri() ([1], [2]). The method unconditionally trusts the X-Original-URL and X-Rewrite-URL HTTP headers, which are legacy IIS headers intended to override the request path. No server-side check ensures the server is actually running IIS, so any application that processes these headers is exposed [1].
Exploitation
An attacker can send a crafted HTTP request including either the X-Original-URL or X-Rewrite-URL header with an arbitrary path value [2]. No special network position or authentication is required—the attacker only needs to be able to deliver HTTP requests to the target application [1]. The prepareRequestUri() method will accept the header value as the true request URI, bypassing any path-based access controls or routing logic that relies on the original URL [1].
Impact
Successful exploitation allows the attacker to override the request URL seen by the application, leading to potential web cache poisoning, bypass of authentication or authorization checks, and manipulation of server-side behavior that depends on the request path [1], [2]. The scope of compromise is limited to the application's handling of the spoofed URI, but can result in unintended data exposure or privilege escalation [3].
Mitigation
The fix was released in Symfony versions 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, and 4.1.3, where support for the X-Original-URL and X-Rewrite-URL headers was removed (a breaking change) [2]. Users should upgrade to these or later versions. For Debian stretch, the fix was included in version 2.8.7+dfsg-1.3+deb9u2 [3]. Workarounds include disabling the headers at the web server level (e.g., via Apache mod_headers or Nginx proxy_set_header) if an immediate upgrade is not feasible.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
symfony/http-foundationPackagist | >= 2.7.0, < 2.7.49 | 2.7.49 |
symfony/http-foundationPackagist | >= 2.8.0, < 2.8.44 | 2.8.44 |
symfony/http-foundationPackagist | >= 3.0.0, < 3.3.18 | 3.3.18 |
symfony/http-foundationPackagist | >= 3.4.0, < 3.4.14 | 3.4.14 |
symfony/http-foundationPackagist | >= 4.0.0, < 4.0.14 | 4.0.14 |
symfony/http-foundationPackagist | >= 4.1.0, < 4.1.3 | 4.1.3 |
symfony/symfonyPackagist | >= 2.7.0, < 2.7.49 | 2.7.49 |
symfony/symfonyPackagist | >= 2.8.0, < 2.8.44 | 2.8.44 |
symfony/symfonyPackagist | >= 3.0.0, < 3.3.18 | 3.3.18 |
symfony/symfonyPackagist | >= 3.4.0, < 3.4.14 | 3.4.14 |
symfony/symfonyPackagist | >= 4.0.0, < 4.0.14 | 4.0.14 |
symfony/symfonyPackagist | >= 4.1.0, < 4.1.3 | 4.1.3 |
Affected products
2- ghsa-coords2 versions
>= 2.7.0, < 2.7.49+ 1 more
- (no CPE)range: >= 2.7.0, < 2.7.49
- (no CPE)range: >= 2.7.0, < 2.7.49
Patches
21 file changed · +1 −1
core/lib/Drupal.php+1 −1 modified@@ -82,7 +82,7 @@ class Drupal { /** * The current system version. */ - const VERSION = '8.5.5'; + const VERSION = '8.5.6'; /** * Core API compatibility.
e447e8b92148[HttpFoundation] Remove support for legacy and risky HTTP headers
3 files changed · +7 −56
src/Symfony/Component/HttpFoundation/CHANGELOG.md+6 −0 modified@@ -1,6 +1,12 @@ CHANGELOG ========= +2.8.44 +------ + + * [BC BREAK] Support for the IIS-only `X_ORIGINAL_URL` and `X_REWRITE_URL` + HTTP headers has been dropped for security reasons. + 2.8.0 -----
src/Symfony/Component/HttpFoundation/Request.php+1 −12 modified@@ -1691,18 +1691,7 @@ protected function prepareRequestUri() { $requestUri = ''; - if ($this->headers->has('X_ORIGINAL_URL')) { - // IIS with Microsoft Rewrite Module - $requestUri = $this->headers->get('X_ORIGINAL_URL'); - $this->headers->remove('X_ORIGINAL_URL'); - $this->server->remove('HTTP_X_ORIGINAL_URL'); - $this->server->remove('UNENCODED_URL'); - $this->server->remove('IIS_WasUrlRewritten'); - } elseif ($this->headers->has('X_REWRITE_URL')) { - // IIS with ISAPI_Rewrite - $requestUri = $this->headers->get('X_REWRITE_URL'); - $this->headers->remove('X_REWRITE_URL'); - } elseif ('1' == $this->server->get('IIS_WasUrlRewritten') && '' != $this->server->get('UNENCODED_URL')) { + if ('1' == $this->server->get('IIS_WasUrlRewritten') && '' != $this->server->get('UNENCODED_URL')) { // IIS7 with URL Rewrite: make sure we get the unencoded URL (double slash problem) $requestUri = $this->server->get('UNENCODED_URL'); $this->server->remove('UNENCODED_URL');
src/Symfony/Component/HttpFoundation/Tests/RequestTest.php+0 −44 modified@@ -1809,52 +1809,8 @@ public function iisRequestUriProvider() { return array( array( - array( - 'X_ORIGINAL_URL' => '/foo/bar', - ), - array(), - '/foo/bar', - ), - array( - array( - 'X_REWRITE_URL' => '/foo/bar', - ), array(), - '/foo/bar', - ), - array( - array(), - array( - 'IIS_WasUrlRewritten' => '1', - 'UNENCODED_URL' => '/foo/bar', - ), - '/foo/bar', - ), - array( - array( - 'X_ORIGINAL_URL' => '/foo/bar', - ), - array( - 'HTTP_X_ORIGINAL_URL' => '/foo/bar', - ), - '/foo/bar', - ), - array( - array( - 'X_ORIGINAL_URL' => '/foo/bar', - ), - array( - 'IIS_WasUrlRewritten' => '1', - 'UNENCODED_URL' => '/foo/bar', - ), - '/foo/bar', - ), - array( - array( - 'X_ORIGINAL_URL' => '/foo/bar', - ), array( - 'HTTP_X_ORIGINAL_URL' => '/foo/bar', 'IIS_WasUrlRewritten' => '1', 'UNENCODED_URL' => '/foo/bar', ),
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
12- github.com/advisories/GHSA-8wgj-6wx8-h5hqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-14773ghsaADVISORY
- www.debian.org/security/2019/dsa-4441ghsavendor-advisoryx_refsource_DEBIANWEB
- www.securityfocus.com/bid/104943ghsavdb-entryx_refsource_BIDWEB
- www.securitytracker.com/id/1041405ghsavdb-entryx_refsource_SECTRACKWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2018-14773.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2018-14773.yamlghsaWEB
- github.com/symfony/symfony/commit/e447e8b92148ddb3d1956b96638600ec95e08f6bghsax_refsource_CONFIRMWEB
- lists.debian.org/debian-lts-announce/2019/03/msg00009.htmlghsamailing-listx_refsource_MLISTWEB
- seclists.org/bugtraq/2019/May/21ghsamailing-listx_refsource_BUGTRAQWEB
- symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headersghsax_refsource_CONFIRMWEB
- www.drupal.org/SA-CORE-2018-005ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.