CVE-2018-19790
Description
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the _failure_path input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Symfony open redirect via backslashes in `_failure_path` allows redirection to arbitrary domains after login.
Vulnerability
An open redirect vulnerability exists in Symfony's login form handling. The _failure_path input field does not properly sanitize backslashes, allowing an attacker to bypass redirection target restrictions and redirect users to arbitrary domains. This affects Symfony versions 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9, and 4.2.x before 4.2.1 [1][2].
Exploitation
An attacker can exploit this by crafting a malicious login form where the _failure_path field contains backslashes (e.g., \\attacker.com). When a user submits the form, Symfony's redirect logic follows the backslash-injected path, redirecting the user to the attacker's domain. No authentication is required, only user interaction (clicking submit) [2][4].
Impact
Successful exploitation results in an open redirect to any domain chosen by the attacker. This can be leveraged for phishing attacks, where users are redirected to a malicious site that mimics a legitimate one, potentially leading to credential theft or malware installation [1][3].
Mitigation
Update to the patched versions: Symfony 2.7.50, 2.8.49, 3.4.20, 4.0.15, 4.1.9, or 4.2.1, or later [1]. For Debian Stretch, upgrade to version 2.8.7+dfsg-1.3+deb9u2 [3]. No workaround is available; upgrading is the recommended action [2][4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
symfony/security-httpPackagist | >= 2.7.38, < 2.7.50 | 2.7.50 |
symfony/security-httpPackagist | >= 2.8.0, < 2.8.49 | 2.8.49 |
symfony/security-httpPackagist | >= 3.0.0, < 3.4.20 | 3.4.20 |
symfony/security-httpPackagist | >= 4.0.0, < 4.0.15 | 4.0.15 |
symfony/security-httpPackagist | >= 4.1.0, < 4.1.9 | 4.1.9 |
symfony/security-httpPackagist | >= 4.2.0, < 4.2.1 | 4.2.1 |
symfony/securityPackagist | >= 2.7.38, < 2.7.50 | 2.7.50 |
symfony/securityPackagist | >= 2.8.0, < 2.8.49 | 2.8.49 |
symfony/securityPackagist | >= 3.0.0, < 3.4.19 | 3.4.19 |
symfony/securityPackagist | >= 4.0.0, < 4.0.15 | 4.0.15 |
symfony/securityPackagist | >= 4.1.0, < 4.1.9 | 4.1.9 |
symfony/securityPackagist | >= 4.2.0, < 4.2.1 | 4.2.1 |
symfony/symfonyPackagist | >= 2.7.38, < 2.7.50 | 2.7.50 |
symfony/symfonyPackagist | >= 2.8.0, < 2.8.49 | 2.8.49 |
symfony/symfonyPackagist | >= 3.0.0, < 3.4.20 | 3.4.20 |
symfony/symfonyPackagist | >= 4.0.0, < 4.0.15 | 4.0.15 |
symfony/symfonyPackagist | >= 4.1.0, < 4.1.9 | 4.1.9 |
Affected products
3- ghsa-coords3 versions
>= 2.7.38, < 2.7.50+ 2 more
- (no CPE)range: >= 2.7.38, < 2.7.50
- (no CPE)range: >= 2.7.38, < 2.7.50
- (no CPE)range: >= 2.7.38, < 2.7.50
Patches
199a0cec0a6be[Security\Http] detect bad redirect targets using backslashes
2 files changed · +17 −3
src/Symfony/Component/Security/Http/HttpUtils.php+1 −1 modified@@ -59,7 +59,7 @@ public function __construct(UrlGeneratorInterface $urlGenerator = null, $urlMatc */ public function createRedirectResponse(Request $request, $path, $status = 302) { - if (null !== $this->domainRegexp && preg_match('#^https?://[^/]++#i', $path, $host) && !preg_match(sprintf($this->domainRegexp, preg_quote($request->getHttpHost())), $host[0])) { + if (null !== $this->domainRegexp && preg_match('#^https?:[/\\\\]{2,}+[^/]++#i', $path, $host) && !preg_match(sprintf($this->domainRegexp, preg_quote($request->getHttpHost())), $host[0])) { $path = '/'; }
src/Symfony/Component/Security/Http/Tests/HttpUtilsTest.php+16 −2 modified@@ -54,14 +54,28 @@ public function testCreateRedirectResponseWithRequestsDomain() $this->assertTrue($response->isRedirect('http://localhost/blog')); } - public function testCreateRedirectResponseWithBadRequestsDomain() + /** + * @dataProvider badRequestDomainUrls + */ + public function testCreateRedirectResponseWithBadRequestsDomain($url) { $utils = new HttpUtils($this->getUrlGenerator(), null, '#^https?://%s$#i'); - $response = $utils->createRedirectResponse($this->getRequest(), 'http://pirate.net/foo'); + $response = $utils->createRedirectResponse($this->getRequest(), $url); $this->assertTrue($response->isRedirect('http://localhost/')); } + public function badRequestDomainUrls() + { + return array( + array('http://pirate.net/foo'), + array('http:\\\\pirate.net/foo'), + array('http:/\\pirate.net/foo'), + array('http:\\/pirate.net/foo'), + array('http://////pirate.net/foo'), + ); + } + public function testCreateRedirectResponseWithProtocolRelativeTarget() { $utils = new HttpUtils($this->getUrlGenerator(), null, '#^https?://%s$#i');
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
22- github.com/advisories/GHSA-89r2-5g34-2g47ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4TD3E7FZIXLVFG3SMFJPDEKPZ26TJOW7/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZMRJ7VTHCY5AZK24G4QGX36RLUDTDKE/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OA4WVFN5FYPIXAPLWZI6N425JHHDSWAZ/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2018-19790ghsaADVISORY
- www.debian.org/security/2019/dsa-4441ghsavendor-advisoryx_refsource_DEBIANWEB
- www.securityfocus.com/bid/106249ghsavdb-entryx_refsource_BIDWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2018-19790.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2018-19790.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2018-19790.yamlghsaWEB
- github.com/symfony/symfony/commit/99a0cec0a6be39ce5ef38386e57339603b33ee5bghsaWEB
- lists.debian.org/debian-lts-announce/2019/03/msg00009.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4TD3E7FZIXLVFG3SMFJPDEKPZ26TJOW7ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZMRJ7VTHCY5AZK24G4QGX36RLUDTDKEghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OA4WVFN5FYPIXAPLWZI6N425JHHDSWAZghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4TD3E7FZIXLVFG3SMFJPDEKPZ26TJOW7ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JZMRJ7VTHCY5AZK24G4QGX36RLUDTDKEghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OA4WVFN5FYPIXAPLWZI6N425JHHDSWAZghsaWEB
- seclists.org/bugtraq/2019/May/21ghsamailing-listx_refsource_BUGTRAQWEB
- symfony.com/blog/cve-2018-19790-open-redirect-vulnerability-when-using-security-httpghsax_refsource_CONFIRMWEB
- symfony.com/cve-2018-19790ghsaWEB
- web.archive.org/web/20200227095826/http://www.securityfocus.com/bid/106249ghsaWEB
News mentions
0No linked articles in our index yet.