Remote Code Execution in SyliusResourceBundle
Description
SyliusResourceBundle fails to sanitize request parameters in expression language, allowing remote code execution via crafted route parameters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SyliusResourceBundle fails to sanitize request parameters in expression language, allowing remote code execution via crafted route parameters.
Vulnerability
Overview
CVE-2020-15143 is a remote code execution (RCE) vulnerability in the SyliusResourceBundle, a Symfony bundle used for CRUD operations. The flaw resides in the ParametersParser::parseRequestValueExpression method, which evaluates request parameters inside expressions using the symfony/expression-language package. User-supplied input is not sanitized before being injected into the expression, enabling an attacker to manipulate the expression to call arbitrary public services [1][4].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious request parameter that contains a string like "~service('doctrine').getManager().getConnection().executeQuery("DELETE * FROM TABLE")~". When this parameter is used in a route definition that passes it to an expression (e.g., expr:service('repository').find($id)), the expression language evaluates the injected code, allowing the attacker to invoke any Symfony service [4]. The attack requires no authentication and can be triggered via any route that uses request parameters inside the expression language, as demonstrated in the advisory [4].
Impact
Successful exploitation grants the attacker the ability to execute arbitrary code on the server, including database queries, file system operations, or other actions accessible through public Symfony services. This can lead to full compromise of the application and its data [1][4].
Mitigation
The vulnerability has been patched in versions 1.3.14, 1.4.7, 1.5.2, and 1.6.4 of the SyliusResourceBundle. The fix adds addslashes() to sanitize string variables before they are evaluated in the expression language [4]. Users of affected versions should upgrade immediately. Versions prior to 1.3 were not patched and remain vulnerable [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sylius/resource-bundlePackagist | >= 1.4.0, < 1.4.7 | 1.4.7 |
sylius/resource-bundlePackagist | >= 1.5.0, < 1.5.2 | 1.5.2 |
sylius/resource-bundlePackagist | >= 1.6.0, < 1.6.4 | 1.6.4 |
sylius/resource-bundlePackagist | >= 1.0.0, < 1.3.14 | 1.3.14 |
Affected products
2- Sylius/SyliusResourceBundlev5Range: < 1.3.14
Patches
173ed8b8bb083Merge pull request from GHSA-p4pj-9g59-4ppv
1 file changed · +1 −1
src/Bundle/Controller/ParametersParser.php+1 −1 modified@@ -80,7 +80,7 @@ private function parseRequestValueExpression(string $expression, Request $reques )); } - return is_string($variable) ? sprintf('"%s"', $variable) : $variable; + return is_string($variable) ? sprintf('"%s"', addslashes($variable)) : $variable; }, $expression); return $this->expression->evaluate($expression, ['container' => $this->container]);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-p4pj-9g59-4ppvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-15143ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/sylius/resource-bundle/CVE-2020-15143.yamlghsaWEB
- github.com/Sylius/SyliusResourceBundle/commit/73ed8b8bb083f36c30ad7c3cec336f65d6a80650ghsaWEB
- github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-p4pj-9g59-4ppvghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.