Low severityNVD Advisory· Published Nov 6, 2024· Updated Nov 7, 2024

Internal address and port enumeration allowed by NoPrivateNetworkHttpClient in symfony/http-client

CVE-2024-50342

Description

symfony/http-client is a module for the Symphony PHP framework which provides powerful methods to fetch HTTP resources synchronously or asynchronously. When using the NoPrivateNetworkHttpClient, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. As of versions 5.4.46, 6.4.14, and 7.1.7 the NoPrivateNetworkHttpClient now filters blocked IPs earlier to prevent such leaks. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
symfony/http-clientPackagist	>= 4.3.0, < 5.4.47	5.4.47
symfony/http-clientPackagist	>= 6.0.0, < 6.4.15	6.4.15
symfony/http-clientPackagist	>= 7.0.0, < 7.1.8	7.1.8
symfony/symfonyPackagist	>= 4.3.0, < 5.4.47	5.4.47
symfony/symfonyPackagist	>= 6.0.0, < 6.4.15	6.4.15
symfony/symfonyPackagist	>= 7.0.0, < 7.1.8	7.1.8

Affected products

Sensiolabs/Symfonyv5
Range: < 5.4.46

Patches

296d4b34a33b

[HttpClient] Filter private IPs before connecting when Host == IP

https://github.com/symfony/symfonyNicolas GrekasOct 25, 2024via ghsa

commit

2 files changed · +37 −3

src/Symfony/Component/HttpClient/NoPrivateNetworkHttpClient.php+12 −1 modified

@@ -77,9 +77,20 @@ public function request(string $method, string $url, array $options = []): Respo
         }
 
         $subnets = $this->subnets;
+        $lastUrl = '';
         $lastPrimaryIp = '';
 
-        $options['on_progress'] = function (int $dlNow, int $dlSize, array $info) use ($onProgress, $subnets, &$lastPrimaryIp): void {
+        $options['on_progress'] = function (int $dlNow, int $dlSize, array $info) use ($onProgress, $subnets, &$lastUrl, &$lastPrimaryIp): void {
+            if ($info['url'] !== $lastUrl) {
+                $host = trim(parse_url($info['url'], PHP_URL_HOST) ?: '', '[]');
+
+                if ($host && IpUtils::checkIp($host, $subnets ?? self::PRIVATE_SUBNETS)) {
+                    throw new TransportException(sprintf('Host "%s" is blocked for "%s".', $host, $info['url']));
+                }
+
+                $lastUrl = $info['url'];
+            }
+
             if ($info['primary_ip'] !== $lastPrimaryIp) {
                 if ($info['primary_ip'] && IpUtils::checkIp($info['primary_ip'], $subnets ?? self::PRIVATE_SUBNETS)) {
                     throw new TransportException(sprintf('IP "%s" is blocked for "%s".', $info['primary_ip'], $info['url']));

src/Symfony/Component/HttpClient/Tests/NoPrivateNetworkHttpClientTest.php+25 −2 modified

@@ -65,10 +65,10 @@ public static function getExcludeData(): array
     /**
      * @dataProvider getExcludeData
      */
-    public function testExclude(string $ipAddr, $subnets, bool $mustThrow)
+    public function testExcludeByIp(string $ipAddr, $subnets, bool $mustThrow)
     {
         $content = 'foo';
-        $url = sprintf('http://%s/', 0 < substr_count($ipAddr, ':') ? sprintf('[%s]', $ipAddr) : $ipAddr);
+        $url = sprintf('http://%s/', strtr($ipAddr, '.:', '--'));
 
         if ($mustThrow) {
             $this->expectException(TransportException::class);
@@ -85,6 +85,29 @@ public function testExclude(string $ipAddr, $subnets, bool $mustThrow)
         }
     }
 
+    /**
+     * @dataProvider getExcludeData
+     */
+    public function testExcludeByHost(string $ipAddr, $subnets, bool $mustThrow)
+    {
+        $content = 'foo';
+        $url = sprintf('http://%s/', str_contains($ipAddr, ':') ? sprintf('[%s]', $ipAddr) : $ipAddr);
+
+        if ($mustThrow) {
+            $this->expectException(TransportException::class);
+            $this->expectExceptionMessage(sprintf('Host "%s" is blocked for "%s".', $ipAddr, $url));
+        }
+
+        $previousHttpClient = $this->getHttpClientMock($url, $ipAddr, $content);
+        $client = new NoPrivateNetworkHttpClient($previousHttpClient, $subnets);
+        $response = $client->request('GET', $url);
+
+        if (!$mustThrow) {
+            $this->assertEquals($content, $response->getContent());
+            $this->assertEquals(200, $response->getStatusCode());
+        }
+    }
+
     public function testCustomOnProgressCallback()
     {
         $ipAddr = '104.26.14.6';

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-9c3x-r3wp-mgxmghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-50342ghsaADVISORY
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-client/CVE-2024-50342.yamlghsaWEB
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50342.yamlghsaWEB
github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5bghsax_refsource_MISCWEB
github.com/symfony/symfony/security/advisories/GHSA-9c3x-r3wp-mgxmghsax_refsource_CONFIRMWEB
symfony.com/cve-2024-50342ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000