Low severity3.1NVD Advisory· Published Nov 6, 2024· Updated Apr 15, 2026

CVE-2024-50341

Description

symfony/security-bundle is a module for the Symphony PHP framework which provides a tight integration of the Security component into the Symfony full-stack framework. The custom user_checker defined on a firewall is not called when Login Programmaticaly with the Security::login method, leading to unwanted login. As of versions 6.4.10, 7.0.10 and 7.1.3 the Security::login method now ensure to call the configured user_checker. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
symfony/security-bundlePackagist	>= 6.2.0, < 6.4.10	6.4.10
symfony/security-bundlePackagist	>= 7.0.0, < 7.0.10	7.0.10
symfony/security-bundlePackagist	>= 7.1.0, < 7.1.3	7.1.3
symfony/symfonyPackagist	>= 6.2.0, < 6.4.10	6.4.10
symfony/symfonyPackagist	>= 7.0.0, < 7.0.10	7.0.10
symfony/symfonyPackagist	>= 7.1.0, < 7.1.3	7.1.3

Patches

938c0728518f

https://github.com/symfony/symfonyvia osv

96e43bf86ac6

https://github.com/symfony/symfonyvia osv

60ccc390f438

https://github.com/symfony/symfonyvia osv

22a0789a0085

use firewall-specific user checkers when manually logging in users

https://github.com/symfony/symfonyChristian FlothmannJul 17, 2024via ghsa

commit

4 files changed · +11 −4

src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php+3 −0 modified

@@ -579,6 +579,9 @@ private function createFirewall(ContainerBuilder $container, string $id, array $
 
         $container->setAlias('security.user_checker.'.$id, new Alias($firewall['user_checker'], false));
 
+        $userCheckerLocator = $container->getDefinition('security.user_checker_locator');
+        $userCheckerLocator->replaceArgument(0, array_merge($userCheckerLocator->getArgument(0), [$id => new ServiceClosureArgument(new Reference('security.user_checker.'.$id))]));
+
         foreach ($this->getSortedFactories() as $factory) {
             $key = str_replace('-', '_', $factory->getKey());
             if ('custom_authenticators' !== $key && \array_key_exists($key, $firewall)) {

src/Symfony/Bundle/SecurityBundle/Resources/config/security.php+4 −1 modified

@@ -19,6 +19,7 @@
 use Symfony\Bundle\SecurityBundle\Security\FirewallContext;
 use Symfony\Bundle\SecurityBundle\Security\FirewallMap;
 use Symfony\Bundle\SecurityBundle\Security\LazyFirewallContext;
+use Symfony\Component\DependencyInjection\ServiceLocator;
 use Symfony\Component\ExpressionLanguage\ExpressionLanguage as BaseExpressionLanguage;
 use Symfony\Component\Ldap\Security\LdapUserProvider;
 use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolver;
@@ -88,7 +89,7 @@
                     'security.authenticator.managers_locator' => service('security.authenticator.managers_locator')->ignoreOnInvalid(),
                     'request_stack' => service('request_stack'),
                     'security.firewall.map' => service('security.firewall.map'),
-                    'security.user_checker' => service('security.user_checker'),
+                    'security.user_checker_locator' => service('security.user_checker_locator'),
                     'security.firewall.event_dispatcher_locator' => service('security.firewall.event_dispatcher_locator'),
                     'security.csrf.token_manager' => service('security.csrf.token_manager')->ignoreOnInvalid(),
                 ]),
@@ -124,6 +125,8 @@
             ->args(['none'])
 
         ->set('security.user_checker', InMemoryUserChecker::class)
+        ->set('security.user_checker_locator', ServiceLocator::class)
+            ->args([[]])
 
         ->set('security.expression_language', ExpressionLanguage::class)
             ->args([service('cache.security_expression_language')->nullOnInvalid()])

src/Symfony/Bundle/SecurityBundle/Security.php+2 −1 modified

@@ -127,7 +127,8 @@ public function login(UserInterface $user, ?string $authenticatorName = null, ?s
 
         $authenticator = $this->getAuthenticator($authenticatorName, $firewallName);
 
-        $this->container->get('security.user_checker')->checkPreAuth($user);
+        $userCheckerLocator = $this->container->get('security.user_checker_locator');
+        $userCheckerLocator->get($firewallName)->checkPreAuth($user);
 
         return $this->container->get('security.authenticator.managers_locator')->get($firewallName)->authenticateUser($user, $authenticator, $request, $badges);
     }

src/Symfony/Bundle/SecurityBundle/Tests/SecurityTest.php+2 −2 modified

@@ -142,7 +142,7 @@ public function testLogin()
                 ['request_stack', $requestStack],
                 ['security.firewall.map', $firewallMap],
                 ['security.authenticator.managers_locator', $this->createContainer('main', $userAuthenticator)],
-                ['security.user_checker', $userChecker],
+                ['security.user_checker_locator', $this->createContainer('main', $userChecker)],
             ])
         ;
 
@@ -188,7 +188,7 @@ public function testLoginReturnsAuthenticatorResponse()
                 ['request_stack', $requestStack],
                 ['security.firewall.map', $firewallMap],
                 ['security.authenticator.managers_locator', $this->createContainer('main', $userAuthenticator)],
-                ['security.user_checker', $userChecker],
+                ['security.user_checker_locator', $this->createContainer('main', $userChecker)],
             ])
         ;

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.202
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000