symfony/ux-autocomplete: Information exposure via unescaped LIKE wildcards in EntitySearchUtil
Description
Description
Symfony\UX\Autocomplete\Doctrine\EntitySearchUtil::addSearchClause() builds the LIKE expression used by the autocomplete endpoint by wrapping the client-supplied query in %...% without escaping the SQL LIKE wildcards (%, _, \). The value is passed as a bound parameter, so this is not SQL injection, but a client can send % to match every row or use _ as a single-character wildcard.
Because searchable_fields defaults to every property of the entity and the autocomplete endpoint is public by default (BaseEntityAutocompleteType ships with security => false), an unauthenticated user can turn the endpoint into a broad matcher or a blind boolean oracle against every column of the entity, including columns the application never intended to expose.
Resolution
EntitySearchUtil now escapes \, %, and _ in the user-supplied query with addcslashes() and appends an explicit ESCAPE '\' clause to the generated LIKE expression, so those characters are matched literally. The exact-match words_query IN() branch is unchanged.
The patch for this issue is available here for branch 2.x (and forward-ported to 3.x).
Credits
Symfony would like to thank Pascal Cescon for reporting the issue and providing the fix.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Missing escaping of SQL LIKE wildcards (`%`, `_`, `\`) in the user-supplied query before wrapping it in `%...%` for the LIKE expression."
Attack vector
An unauthenticated attacker sends a crafted query parameter (e.g. `%` or `_`) to the autocomplete endpoint. Because the query is wrapped in `%...%` without escaping LIKE wildcards, sending `%` matches every row in the entity, and `_` acts as a single-character wildcard. Since `searchable_fields` defaults to all properties and the endpoint is public by default, the attacker can turn the endpoint into a broad matcher or a blind boolean oracle against every column of the entity, including columns never intended to be exposed. [CWE-807] [ref_id=2]
Affected code
The vulnerability is in `Symfony\UX\Autocomplete\Doctrine\EntitySearchUtil::addSearchClause()` which builds the `LIKE` expression for the autocomplete endpoint. The method wraps the client-supplied query in `%...%` without escaping SQL `LIKE` wildcards (`%`, `_`, `\`). The autocomplete endpoint is public by default (`BaseEntityAutocompleteType` ships with `security => false`) and `searchable_fields` defaults to every property of the entity. [patch_id=6625361] [ref_id=2]
What the fix does
The patch escapes `\`, `%`, and `_` in the user-supplied query using `addcslashes($lowercaseQuery, '\\%_')` before wrapping it in `%...%`. It also replaces the `LIKE` expression with an explicit `ESCAPE '\\'` clause so the backslash-escaped wildcards are treated as literal characters. The exact-match `words_query` `IN()` branch is intentionally left unchanged. This ensures that a user-supplied `%` or `_` matches only rows that actually contain those characters, preventing the endpoint from being abused as a broad matcher or boolean oracle. [patch_id=6625361] [ref_id=1]
Preconditions
- configThe autocomplete endpoint must be publicly accessible (default behavior of BaseEntityAutocompleteType with security => false)
- configThe entity must have searchable_fields that include text properties (default is all properties)
- networkAttacker must be able to send arbitrary query strings to the autocomplete endpoint
Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.