VYPR
← All advisories
High severityNVD Advisory· Published Nov 21, 2019· Updated Aug 5, 2024

CVE-2019-18888

CVE-2019-18888

Description

An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An unvalidated user input passed to Symfony's MIME type validation can lead to arbitrary argument injection into the underlying file command.

Root

Cause CVE-2019-18888 is an argument injection vulnerability in Symfony's HTTP Foundation and Mime components. When an application passes unvalidated user input as the filename for MIME type validation, the underlying file command receives arbitrary arguments supplied by the attacker. The affected versions include Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7 [1].

Exploitation

The vulnerability is triggered when an application does not sanitize user-supplied filenames before handing them to the MIME type guessing logic. Since the file command is invoked with the user-controlled string as an argument, an attacker can inject command-line flags (e.g., -m or -e) that alter the behavior of the command. No authentication is strictly required if the vulnerable endpoint is publicly accessible, making this especially dangerous in applications that accept file uploads or path inputs [2][3].

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the server, as the file command may run with the privileges of the web server. This can lead to full server compromise, data exfiltration, or lateral movement within the network [1].

Mitigation

The Symfony project released patches in versions 2.8.51, 3.4.35, 4.2.12, and 4.3.8 to fix the issue by properly escaping filenames before passing them to the underlying command. Users of affected versions should update immediately. Additionally, applications should never pass unvalidated user input directly to file-handling functions [1][4].

References
  1. NVD - CVE-2019-18888
  2. security-advisories/symfony/symfony/CVE-2019-18888.yaml at master · FriendsOfPHP/security-advisories
  3. security-advisories/symfony/http-foundation/CVE-2019-18888.yaml at master · FriendsOfPHP/security-advisories
  4. security-advisories/symfony/mime/CVE-2019-18888.yaml at master · FriendsOfPHP/security-advisories

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
symfony/http-foundationPackagist
>= 2.0.0, < 2.8.522.8.52
symfony/http-foundationPackagist
>= 3.0.0, < 3.4.353.4.35
symfony/http-foundationPackagist
>= 4.0.0, < 4.2.124.2.12
symfony/http-foundationPackagist
>= 4.3.0, < 4.3.84.3.8
symfony/mimePackagist
>= 4.3.0, < 4.3.84.3.8
symfony/symfonyPackagist
>= 2.0.0, < 2.8.522.8.52
symfony/symfonyPackagist
>= 3.0.0, < 3.4.353.4.35
symfony/symfonyPackagist
>= 4.0.0, < 4.2.124.2.12
symfony/symfonyPackagist
>= 4.3.0, < 4.3.84.3.8

Affected products

4

Patches

1
87fb08703e62

Merge pull request #34352 from fabpot/release-4.3.8

https://github.com/symfony/symfonyFabien PotencierNov 13, 2019via osv
commit
2 files changed · +12 2
  • CHANGELOG-4.3.md+10 0 modified
    @@ -7,6 +7,16 @@ in 4.3 minor versions.
 To get the diff for a specific change, go to https://github.com/symfony/symfony/commit/XXX where XXX is the change hash
 To get the diff between two versions, go to https://github.com/symfony/symfony/compare/v4.3.0...v4.3.1
 
+* 4.3.8 (2019-11-13)
+
+ * bug #34344 [Console] Constant STDOUT might be undefined (nicolas-grekas)
+ * security #cve-2019-18886 [Security\Core] throw AccessDeniedException when switch user fails (nicolas-grekas)
+ * security #cve-2019-18888 [Mime] fix guessing mime-types of files with leading dash (nicolas-grekas)
+ * security #cve-2019-11325 [VarExporter] fix exporting some strings (nicolas-grekas)
+ * security #cve-2019-18889 [Cache] forbid serializing AbstractAdapter and TagAwareAdapter instances (nicolas-grekas)
+ * security #cve-2019-18888 [HttpFoundation] fix guessing mime-types of files with leading dash (nicolas-grekas)
+ * security #cve-2019-18887 [HttpKernel] Use constant time comparison in UriSigner (stof)
+
 * 4.3.7 (2019-11-11)
 
  * bug #34294 [Workflow] Fix error when we use ValueObject for the marking property (FabienSalles)
  • src/Symfony/Component/HttpKernel/Kernel.php+2 2 modified
    @@ -73,12 +73,12 @@ abstract class Kernel implements KernelInterface, RebootableInterface, Terminabl
     private $requestStackSize = 0;
     private $resetServices = false;
 
-    const VERSION = '4.3.8-DEV';
+    const VERSION = '4.3.8';
     const VERSION_ID = 40308;
     const MAJOR_VERSION = 4;
     const MINOR_VERSION = 3;
     const RELEASE_VERSION = 8;
-    const EXTRA_VERSION = 'DEV';
+    const EXTRA_VERSION = '';
 
     const END_OF_MAINTENANCE = '01/2020';
     const END_OF_LIFE = '07/2020';

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

18

News mentions

0

No linked articles in our index yet.