Remote Code Execution in SyliusResourceBundle
Description
SyliusResourceBundle before 1.3.14/1.4.7/1.5.2/1.6.4 fails to sanitize request parameters in expression-language evaluations, leading to remote code execution via arbitrary public service calls.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SyliusResourceBundle before 1.3.14/1.4.7/1.5.2/1.6.4 fails to sanitize request parameters in expression-language evaluations, leading to remote code execution via arbitrary public service calls.
Vulnerability
CVE-2020-15146 is a remote code execution vulnerability in the SyliusResourceBundle, a Symfony bundle providing CRUD operations for Sylius e-commerce applications. The root cause is unsanitized request parameters injected into expressions evaluated by the symfony/expression-language package. The OptionsParser::parseOptionExpression method directly interpolates string request parameters into expression strings without escaping special characters, allowing an attacker to break out of the intended expression context [1][4].
Exploitation
An attacker can exploit this by crafting a malicious request parameter that, when embedded in a grid or resource configuration expression, injects arbitrary ExpressionLanguage syntax. For example, a parameter like "~service('doctrine').getManager().getConnection().executeQuery("DELETE * FROM TABLE")~" can be injected from a URL query string. The attacker needs only network access to an endpoint that uses the vulnerable grid options parsing; no authentication is mentioned as a prerequisite, making this exploitable by unauthenticated users if such endpoints are exposed [4]. The expression language allows calling any public service, so the attacker can chain service calls to achieve arbitrary code execution.
Impact
Successful exploitation grants the attacker the ability to invoke any public service in the Symfony container. This can be used to read sensitive data, modify database contents, or execute arbitrary code on the server, leading to full application compromise [1][4]. The example provided in the advisory demonstrates deleting all rows from a table, indicating severe data integrity and availability impacts.
Mitigation
The vulnerability is patched in versions 1.3.14, 1.4.7, 1.5.2, and 1.6.4. The fix adds addslashes() around string variables in OptionsParser::parseOptionExpression to sanitize user input before evaluation [4]. Versions prior to 1.3 were not patched and remain vulnerable; users of those versions should upgrade to a supported release. No workaround beyond the patch is documented, but administrators should ensure no untrusted users can supply request parameters to affected grid definitions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sylius/resource-bundlePackagist | >= 1.4.0, < 1.4.7 | 1.4.7 |
sylius/resource-bundlePackagist | >= 1.5.0, < 1.5.2 | 1.5.2 |
sylius/resource-bundlePackagist | >= 1.6.0, < 1.6.4 | 1.6.4 |
sylius/resource-bundlePackagist | >= 1.0.0, < 1.3.14 | 1.3.14 |
Affected products
2- Sylius/SyliusResourceBundlev5Range: < 1.3.14
Patches
173d9aba18294Merge pull request from GHSA-h6m7-j4h3-9rf5
1 file changed · +1 −1
src/Bundle/Grid/Parser/OptionsParser.php+1 −1 modified@@ -79,7 +79,7 @@ private function parseOptionExpression(string $expression, Request $request) $expression = (string) preg_replace_callback('/\$(\w+)/', function (array $matches) use ($request) { $variable = $request->get($matches[1]); - return is_string($variable) ? sprintf('"%s"', $variable) : $variable; + return is_string($variable) ? sprintf('"%s"', addslashes($variable)) : $variable; }, $expression); return $this->expression->evaluate($expression, ['container' => $this->container]);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-h6m7-j4h3-9rf5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-15146ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/sylius/resource-bundle/CVE-2020-15146.yamlghsaWEB
- github.com/Sylius/SyliusResourceBundle/commit/73d9aba182947473a5935b31caf65ca263091e00ghsaWEB
- github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-h6m7-j4h3-9rf5ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.