Moderate severityNVD Advisory· Published Feb 3, 2023· Updated Mar 10, 2025
Symfony storing cookie headers in HttpCache
CVE-2022-24894
Description
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers) and returns them to the clients. In a recent change in the AbstractSessionListener, the response might contain a Set-Cookie header. If the Symfony HTTP cache system is enabled, this response might bill stored and return to the next clients. An attacker can use this vulnerability to retrieve the victim's session. This issue has been patched and is available for branch 4.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
symfony/http-kernelPackagist | >= 2.0.0, < 4.4.50 | 4.4.50 |
symfony/http-kernelPackagist | >= 5.0.0, < 5.4.20 | 5.4.20 |
symfony/http-kernelPackagist | >= 6.0.0, < 6.0.20 | 6.0.20 |
symfony/http-kernelPackagist | >= 6.1.0, < 6.1.12 | 6.1.12 |
symfony/http-kernelPackagist | >= 6.2.0, < 6.2.6 | 6.2.6 |
symfony/symfonyPackagist | >= 2.0.0, < 4.4.50 | 4.4.50 |
symfony/symfonyPackagist | >= 5.0.0, < 5.4.20 | 5.4.20 |
symfony/symfonyPackagist | >= 6.0.0, < 6.0.20 | 6.0.20 |
symfony/symfonyPackagist | >= 6.1.0, < 6.1.12 | 6.1.12 |
symfony/symfonyPackagist | >= 6.2.0, < 6.2.6 | 6.2.6 |
Affected products
4- osv-coords3 versions
>= 2.0.0, < 4.4.50+ 2 more
- (no CPE)range: >= 2.0.0, < 4.4.50
- (no CPE)range: >= 2.0.0, < 4.4.50
- (no CPE)range: >= 2.0.0, < 4.4.50
- Range: >= 2.0.0, < 4.4.50
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-h7vf-5wrv-9fhvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-24894ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2022-24894.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2022-24894.yamlghsaWEB
- github.com/symfony/symfony/commit/d2f6322af9444ac5cd1ef3ac6f280dbef7f9d1fbghsax_refsource_MISCWEB
- github.com/symfony/symfony/security/advisories/GHSA-h7vf-5wrv-9fhvghsax_refsource_CONFIRMWEB
- lists.debian.org/debian-lts-announce/2023/07/msg00014.htmlghsaWEB
- symfony.com/cve-2022-24894ghsaWEB
News mentions
0No linked articles in our index yet.