VYPR
← All advisories
Medium severity6.9NVD Advisory· Published Jun 9, 2026· Updated Jun 9, 2026

SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV/APP_DEBUG via parse_str/SAPI Argv Mismatch

CVE-2026-47767

Description

A bypass vulnerability in SymfonyRuntime allows unauthenticated GET requests to alter application environment and debug flags, reinstating a previously fixed issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A bypass vulnerability in SymfonyRuntime allows unauthenticated GET requests to alter application environment and debug flags, reinstating a previously fixed issue.

Vulnerability

This vulnerability affects applications booted through symfony/runtime when the register_argc_argv PHP configuration is set to On. An earlier fix for CVE-2024-50340 incorrectly used empty($_GET) to determine if the application was invoked via CLI. However, an attacker can craft a query string that leaves $_GET empty while still populating $_SERVER['argv'] with malicious flags, bypassing the security check. This bypass affects symfony/runtime versions prior to the fix.

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP GET request. The request must target an application using symfony/runtime with register_argc_argv=On. The attacker crafts a query string that results in $_GET being empty but $_SERVER['argv'] containing arguments like --env or --no-debug. The SymfonyRuntime::getInput() function then incorrectly parses these arguments from $_SERVER['argv'].

Impact

Successful exploitation allows an unauthenticated attacker to change the application's kernel environment variable (APP_ENV) and toggle the debug flag (APP_DEBUG). This could lead to unintended application behavior, potential information disclosure if debugging is enabled, or other security implications depending on how the environment and debug settings are used within the application.

Mitigation

The vulnerability is addressed by gating the read of $_SERVER['argv'] on isset($_SERVER['QUERY_STRING']) instead of empty($_GET). This ensures that the security check and the parsed arguments originate from the same source. The patch is available for branch 5.4. Specific fixed versions mentioned are symfony/runtime 5.4.46, 6.4.14, and 7.1.7. Worker SAPIs like FrankenPHP, RoadRunner, and Swoole are unaffected as the runtime constructor runs once at boot when QUERY_STRING is unset [1][2][3].

References
  1. GitHub - symfony/symfony: The Symfony PHP framework
  2. CVE-2026-47767 - GitHub Advisory Database
  3. SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV/APP_DEBUG via parse_str/SAPI Argv Mismatch

AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

1
3228c3806ee5

[Runtime] Fix CVE-2024-50340 patch bypass by gating argv on $_SERVER['QUERY_STRING']

https://github.com/symfony/symfonyNicolas GrekasMay 20, 2026Fixed in 6.4.40via ghsa-release-walk
commit
3 files changed · +24 2
  • src/Symfony/Component/Runtime/SymfonyRuntime.php+2 2 modified
    @@ -95,7 +95,7 @@ public function __construct(array $options = [])
 
         if (isset($options['env'])) {
             $_SERVER[$envKey] = $options['env'];
-        } elseif (empty($_GET) && isset($_SERVER['argv']) && class_exists(ArgvInput::class)) {
+        } elseif (!isset($_SERVER['QUERY_STRING']) && isset($_SERVER['argv']) && class_exists(ArgvInput::class)) {
             $this->options = $options;
             $this->getInput();
         }
@@ -216,7 +216,7 @@ protected static function register(GenericRuntime $runtime): GenericRuntime
 
     private function getInput(): ArgvInput
     {
-        if (!empty($_GET) && filter_var(ini_get('register_argc_argv'), \FILTER_VALIDATE_BOOL)) {
+        if (isset($_SERVER['QUERY_STRING']) && filter_var(ini_get('register_argc_argv'), \FILTER_VALIDATE_BOOL)) {
             throw new \Exception('CLI applications cannot be run safely on non-CLI SAPIs with register_argc_argv=On.');
         }
  • src/Symfony/Component/Runtime/Tests/phpt/kernel_query_string_argv_bypass.phpt+21 0 added
    @@ -0,0 +1,21 @@
+--TEST--
+Test that argv is ignored on web requests even when $_GET parses empty (QUERY_STRING gap)
+--INI--
+display_errors=1
+register_argc_argv=1
+--FILE--
+<?php
+
+// A real web request with QUERY_STRING="=+--env=prod+--no-debug":
+// parse_str() drops the leading "=" token so $_GET is empty,
+// but the web SAPI builds argv from the raw query and feeds attacker flags in.
+$_GET = [];
+$_SERVER['QUERY_STRING'] = '=+--env=prod+--no-debug';
+$_SERVER['argc'] = 3;
+$_SERVER['argv'] = ['=', '--env=prod', '--no-debug'];
+
+require $_SERVER['SCRIPT_FILENAME'] = __DIR__.'/kernel.php';
+
+?>
+--EXPECTF--
+OK Kernel (env=dev) foo_bar
  • src/Symfony/Component/Runtime/Tests/phpt/kernel_register_argc_argv.phpt+1 0 modified
    @@ -8,6 +8,7 @@ register_argc_argv=1
 
 // emulating PHP behavior with register_argc_argv=1
 $_GET['-e_test'] = '';
+$_SERVER['QUERY_STRING'] = '-e_test=';
 $_SERVER['argc'] = 1;
 $_SERVER['argv'] = [' ', '-e', 'test'];

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

2

News mentions

0

No linked articles in our index yet.