When a Symfony application is running behind a proxy or a load-balancer, you can tell Symfony to look for the X-Forwarded-*
HTTP headers. HTTP headers that are not part of the βtrusted_headersβ allowed list are ignored and protect you from βCache poisoningβ attacks.
In Symfony 5.2, weβve added support for the X-Forwarded-Prefix
header, but this header was accessible in sub-requests, even if it was not part of the βtrusted_headersβ allowed list. An attacker could leverage this opportunity to forge requests containing a X-Forwarded-Prefix
HTTP header, leading to a web cache poisoning issue.
Symfony now ensures that the X-Forwarded-Prefix
HTTP header is not forwarded to sub-requests when it is not trusted.
The patch for this issue is available here for branch 5.3.
We would like to thank Soner Sayakci for reporting the issue and JΓ©rΓ©my DerussΓ© for fixing the issue.
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2021-41267.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2021-41267.yaml
github.com/symfony/symfony/commit/95dcf51682029e89450aee86267e3d553aa7c487
github.com/symfony/symfony/pull/44243
github.com/symfony/symfony/releases/tag/v5.3.12
github.com/symfony/symfony/security/advisories/GHSA-q3j3-w37x-hq2q
nvd.nist.gov/vuln/detail/CVE-2021-41267
symfony.com/cve-2021-41267