Ability to expose data in Sylius by using an unintended serialisation group
Description
Sylius ResourceBundle accepts any serialization groups from HTTP headers, allowing attackers to expose sensitive data by using unintended, more permissive groups.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Sylius ResourceBundle accepts any serialization groups from HTTP headers, allowing attackers to expose sensitive data by using unintended, more permissive groups.
Vulnerability
Description Sylius ResourceBundle automatically uses serialization groups provided via an HTTP header, without validating that the requested group is intended for the current API context. This flaw allows an attacker to specify arbitrary serialization groups, including those reserved for privileged interfaces like the Admin API, thereby exposing data meant to be restricted [1][4].
Exploitation
An attacker can craft a request to a ResourceBundle-based API endpoint and include a custom X-Serialization-Groups header (or similar) pointing to a more permissive group. For example, the Shop API endpoint could be made to use a group from the Admin API, bypassing intended access controls [1]. No authentication is required if the endpoint is publicly accessible; the attack only requires the ability to send HTTP requests with custom headers.
Impact
Successful exploitation leads to unauthorized exposure of sensitive data that should only be visible to administrators or specific user roles. This could include customer details, order information, or internal configuration, depending on the serialization groups defined in the application. The vulnerability affects all versions of Sylius ResourceBundle before 1.3.13, 1.4.6, 1.5.1, and 1.6.3 [4].
Mitigation
The vulnerability is patched in Sylius ResourceBundle versions 1.3.13, 1.4.6, 1.5.1, and 1.6.3. After applying the patch, only groups defined in serialization_groups or allowed_serialization_groups route configuration will be accepted, rejecting any undefined groups. For users who cannot upgrade immediately, a workaround involves overriding the sylius.resource_controller.request_configuration_factory service to remove custom serialization group handling [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sylius/resource-bundlePackagist | >= 1.4.0, < 1.4.6 | 1.4.6 |
sylius/resource-bundlePackagist | >= 1.5.0, < 1.5.1 | 1.5.1 |
sylius/resource-bundlePackagist | >= 1.6.0, < 1.6.3 | 1.6.3 |
sylius/syliusPackagist | < 1.3.12 | 1.3.12 |
sylius/syliusPackagist | >= 1.4.0, < 1.4.4 | 1.4.4 |
sylius/resource-bundlePackagist | >= 1.0.0, < 1.3.13 | 1.3.13 |
Affected products
3- ghsa-coords2 versions
>= 1.4.0, < 1.4.6+ 1 more
- (no CPE)range: >= 1.4.0, < 1.4.6
- (no CPE)range: < 1.3.12
- Sylius/SyliusResourceBundlev5Range: < 1.3.13
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-8vp7-j5cj-vvm2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-5220ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/sylius/resource-bundle/CVE-2020-5220.yamlghsax_refsource_MISCWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/sylius/sylius/CVE-2020-5220.yamlghsaWEB
- github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-8vp7-j5cj-vvm2ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.