Sylius has an Open Redirect via Referer Header
Description
Sylius is an Open Source eCommerce Framework on Symfony. CurrencySwitchController::switchAction(), ImpersonateUserController::impersonateAction() and StorageBasedLocaleSwitcher::handle() use the HTTP Referer header directly when redirecting. The attack requires the victim to click a legitimate application link placed on an attacker-controlled page. The browser automatically sends the attacker's site as the Referer, and the application redirects back to it. This can be used for phishing or credential theft, as the redirect originates from a trusted domain. The severity varies by endpoint; public endpoints require no authentication and are trivially exploitable, while admin-only endpoints require an authenticated session but remain vulnerable if an admin follows a link from an external source such as email or chat. The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3 and above.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Sylius open redirect vulnerability in CurrencySwitchController, ImpersonateUserController, and StorageBasedLocaleSwitcher allows phishing via Referer header manipulation; fixed in multiple versions.
Sylius, an open-source eCommerce framework on Symfony, contains an open redirect vulnerability in three controllers: CurrencySwitchController::switchAction(), ImpersonateUserController::impersonateAction(), and StorageBasedLocaleSwitcher::handle(). These endpoints directly use the HTTP Referer header to determine the redirect destination without validation [1].
An attacker can craft a link to a legitimate Sylius endpoint, hosted on an attacker-controlled page. When a victim clicks the link, the browser automatically sends the attacker's site URL as the Referer header. The application then redirects the victim to that attacker-controlled URL, which appears to originate from a trusted domain [2]. For public endpoints like currency and locale switching, no authentication is required. The admin impersonation endpoint requires an authenticated session, but remains exploitable if an admin follows a link from an external source such as email or chat [1].
This open redirect can be leveraged for phishing attacks or credential theft, as the redirect originates from a trusted Sylius domain, making malicious sites appear legitimate [1]. The severity varies by endpoint: public endpoints present a low barrier to exploitation, while admin endpoints require prior authentication but are still vulnerable [2].
The issue is fixed in Sylius versions 1.9.12, 1.10.16, 1.11.17, 1.12.23, 1.13.15, 1.14.18, 2.0.16, 2.1.12, 2.2.3, and above [1]. As a workaround, affected classes can be copied from vendor to the project's src/ directory, patched, and service definitions overridden [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sylius/syliusPackagist | < 1.9.12 | 1.9.12 |
sylius/syliusPackagist | >= 1.10.0, < 1.10.16 | 1.10.16 |
sylius/syliusPackagist | >= 1.11.0, < 1.11.17 | 1.11.17 |
sylius/syliusPackagist | >= 1.12.0, < 1.12.23 | 1.12.23 |
sylius/syliusPackagist | >= 1.13.0, < 1.13.15 | 1.13.15 |
sylius/syliusPackagist | >= 1.14.0, < 1.14.18 | 1.14.18 |
sylius/syliusPackagist | >= 2.0.0, < 2.0.16 | 2.0.16 |
sylius/syliusPackagist | >= 2.1.0, < 2.1.12 | 2.1.12 |
sylius/syliusPackagist | >= 2.2.0, < 2.2.3 | 2.2.3 |
Affected products
2- Sylius/Syliusv5Range: >= 2.2.0, < 2.2.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-9ffx-f77r-756wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-31819ghsaADVISORY
- github.com/Sylius/Sylius/security/advisories/GHSA-9ffx-f77r-756wghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.