CVE-2019-10913
Description
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to symfony/http-foundation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Symfony before 2.7.51, 2.8.50, 3.4.26, 4.1.12, 4.2.7, HTTP methods and override headers are not validated, enabling injection attacks like SQLi or XSS.
Vulnerability
Description
The Symfony HttpFoundation component fails to validate HTTP method strings, whether provided as the request verb or via the X-Http-Method-Override header. These strings are treated as trusted input but are not sanitized, allowing arbitrary characters to be injected. When the method string is used in contexts such as SQL queries or HTML output without proper escaping, it can lead to SQL injection or cross-site scripting (XSS) attacks [1][4].
Exploitation
An attacker can craft a malicious HTTP request with a method string containing SQL or XSS payloads, for example by setting the X-Http-Method-Override header to a value like ' OR 1=1--. No authentication is required if the application exposes endpoints that accept method overrides. The vulnerability affects all Symfony applications that use the method string in database queries or output rendering without escaping [2][3].
Impact
Successful exploitation can result in SQL injection, allowing data theft, modification, or deletion, or cross-site scripting, enabling session hijacking, defacement, or phishing. The severity depends on how the application incorporates the method string into its logic [1][4].
Mitigation
Patches are available in Symfony versions 2.7.51, 2.8.50, 3.4.26, 4.1.12, and 4.2.7. The fix restricts HTTP methods to only ASCII letters (A-Z). Users should upgrade to these versions or apply the provided patch. Older unsupported branches (3.0–3.3, 4.0) are not fixed and should be upgraded to a supported version [4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
symfony/http-foundationPackagist | >= 2.7.0, < 2.7.51 | 2.7.51 |
symfony/http-foundationPackagist | >= 2.8.0, < 2.8.50 | 2.8.50 |
symfony/http-foundationPackagist | >= 3.0.0, < 3.4.26 | 3.4.26 |
symfony/http-foundationPackagist | >= 4.0.0, < 4.1.12 | 4.1.12 |
symfony/http-foundationPackagist | >= 4.2.0, < 4.2.7 | 4.2.7 |
symfony/symfonyPackagist | >= 2.7.0, < 2.7.51 | 2.7.51 |
symfony/symfonyPackagist | >= 2.8.0, < 2.8.50 | 2.8.50 |
symfony/symfonyPackagist | >= 3.0.0, < 3.4.26 | 3.4.26 |
symfony/symfonyPackagist | >= 4.0.0, < 4.1.12 | 4.1.12 |
symfony/symfonyPackagist | >= 4.2.0, < 4.2.7 | 4.2.7 |
Affected products
3- Symfony/Symfonydescription
- ghsa-coords2 versions
>= 2.7.0, < 2.7.51+ 1 more
- (no CPE)range: >= 2.7.0, < 2.7.51
- (no CPE)range: >= 2.7.0, < 2.7.51
Patches
1944e60f083c3[HttpFoundation] reject invalid method override
1 file changed · +29 −14
src/Symfony/Component/HttpFoundation/Request.php+29 −14 modified@@ -1346,22 +1346,37 @@ public function setMethod($method) */ public function getMethod() { - if (null === $this->method) { - $this->method = strtoupper($this->server->get('REQUEST_METHOD', 'GET')); - - if ('POST' === $this->method) { - if ($method = $this->headers->get('X-HTTP-METHOD-OVERRIDE')) { - $this->method = strtoupper($method); - } elseif (self::$httpMethodParameterOverride) { - $method = $this->request->get('_method', $this->query->get('_method', 'POST')); - if (\is_string($method)) { - $this->method = strtoupper($method); - } - } - } + if (null !== $this->method) { + return $this->method; + } + + $this->method = strtoupper($this->server->get('REQUEST_METHOD', 'GET')); + + if ('POST' !== $this->method) { + return $this->method; + } + + $method = $this->headers->get('X-HTTP-METHOD-OVERRIDE'); + + if (!$method && self::$httpMethodParameterOverride) { + $method = $this->request->get('_method', $this->query->get('_method', 'POST')); + } + + if (!\is_string($method)) { + return $this->method; + } + + $method = strtoupper($method); + + if (\in_array($method, ['GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'CONNECT', 'OPTIONS', 'PATCH', 'PURGE', 'TRACE'], true)) { + return $this->method = $method; + } + + if (!preg_match('/^[A-Z]++$/D', $method)) { + throw new SuspiciousOperationException(sprintf('Invalid method override "%s".', $method)); } - return $this->method; + return $this->method = $method; } /**
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-x92h-wmg2-6hp7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10913ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2019-10913.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-10913.yamlghsaWEB
- github.com/symfony/symfony/commit/944e60f083c3bffbc6a0b5112db127a10a66a8ecghsax_refsource_CONFIRMWEB
- symfony.com/blog/cve-2019-10913-reject-invalid-http-method-overridesghsax_refsource_CONFIRMWEB
- symfony.com/cve-2019-10913ghsaWEB
News mentions
0No linked articles in our index yet.