Moderate severityNVD Advisory· Published Feb 3, 2023· Updated Mar 10, 2025
Symfony storing cookie headers in HttpCache
CVE-2022-24894
Description
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers) and returns them to the clients. In a recent change in the AbstractSessionListener, the response might contain a Set-Cookie header. If the Symfony HTTP cache system is enabled, this response might bill stored and return to the next clients. An attacker can use this vulnerability to retrieve the victim's session. This issue has been patched and is available for branch 4.4.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
symfony/http-kernelPackagist | >= 2.0.0, < 4.4.50 | 4.4.50 |
symfony/http-kernelPackagist | >= 5.0.0, < 5.4.20 | 5.4.20 |
symfony/http-kernelPackagist | >= 6.0.0, < 6.0.20 | 6.0.20 |
symfony/http-kernelPackagist | >= 6.1.0, < 6.1.12 | 6.1.12 |
symfony/http-kernelPackagist | >= 6.2.0, < 6.2.6 | 6.2.6 |
symfony/symfonyPackagist | >= 2.0.0, < 4.4.50 | 4.4.50 |
symfony/symfonyPackagist | >= 5.0.0, < 5.4.20 | 5.4.20 |
symfony/symfonyPackagist | >= 6.0.0, < 6.0.20 | 6.0.20 |
symfony/symfonyPackagist | >= 6.1.0, < 6.1.12 | 6.1.12 |
symfony/symfonyPackagist | >= 6.2.0, < 6.2.6 | 6.2.6 |
Affected products
1- Range: >= 2.0.0, < 4.4.50
Patches
1d2f6322af944[HttpKernel] Remove private headers before storing responses with HttpCache
2 files changed · +30 −3
src/Symfony/Component/HttpKernel/HttpCache/Store.php+17 −3 modified@@ -26,19 +26,29 @@ class Store implements StoreInterface { protected $root; private $keyCache; - private $locks; + private $locks = []; + private $options; /** + * Constructor. + * + * The available options are: + * + * * private_headers Set of response headers that should not be stored + * when a response is cached. (default: Set-Cookie) + * * @throws \RuntimeException */ - public function __construct(string $root) + public function __construct(string $root, array $options = []) { $this->root = $root; if (!file_exists($this->root) && !@mkdir($this->root, 0777, true) && !is_dir($this->root)) { throw new \RuntimeException(sprintf('Unable to create the store directory (%s).', $this->root)); } $this->keyCache = new \SplObjectStorage(); - $this->locks = []; + $this->options = array_merge([ + 'private_headers' => ['Set-Cookie'], + ], $options); } /** @@ -215,6 +225,10 @@ public function write(Request $request, Response $response) $headers = $this->persistResponse($response); unset($headers['age']); + foreach ($this->options['private_headers'] as $h) { + unset($headers[strtolower($h)]); + } + array_unshift($entries, [$storedEnv, $headers]); if (!$this->save($key, serialize($entries))) {
src/Symfony/Component/HttpKernel/Tests/HttpCache/StoreTest.php+13 −0 modified@@ -12,8 +12,10 @@ namespace Symfony\Component\HttpKernel\Tests\HttpCache; use PHPUnit\Framework\TestCase; +use Symfony\Component\HttpFoundation\Cookie; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Response; +use Symfony\Component\HttpKernel\HttpCache\HttpCache; use Symfony\Component\HttpKernel\HttpCache\Store; class StoreTest extends TestCase @@ -317,6 +319,17 @@ public function testPurgeHttpAndHttps() $this->assertEmpty($this->getStoreMetadata($requestHttps)); } + public function testDoesNotStorePrivateHeaders() + { + $request = Request::create('https://example.com/foo'); + $response = new Response('foo'); + $response->headers->setCookie(Cookie::fromString('foo=bar')); + + $this->store->write($request, $response); + $this->assertArrayNotHasKey('set-cookie', $this->getStoreMetadata($request)[0][1]); + $this->assertNotEmpty($response->headers->getCookies()); + } + protected function storeSimpleEntry($path = null, $headers = []) { if (null === $path) {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-h7vf-5wrv-9fhvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-24894ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2022-24894.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2022-24894.yamlghsaWEB
- github.com/symfony/symfony/commit/d2f6322af9444ac5cd1ef3ac6f280dbef7f9d1fbghsax_refsource_MISCWEB
- github.com/symfony/symfony/security/advisories/GHSA-h7vf-5wrv-9fhvghsax_refsource_CONFIRMWEB
- lists.debian.org/debian-lts-announce/2023/07/msg00014.htmlghsaWEB
- symfony.com/cve-2022-24894ghsaWEB
News mentions
0No linked articles in our index yet.