An attacker is able to inject and execute arbitrary code on the host OS if the response can be manipulated for a request being made by the CachingHttpClient.
github.com/advisories/GHSA-qvc5-cfrr-384v
github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78
github.com/symfony/symfony/security/advisories/GHSA-754h-5r27-7x3r
lists.fedoraproject.org/archives/list/[email protected]/message/HNGUWOEETOFVH4PN3I3YO4QZHQ4AUKF3/
lists.fedoraproject.org/archives/list/[email protected]/message/VAQJXAKWPMWB7OL6QPG2ZSEQZYYPU5RC/
packagist.org/packages/symfony/http-kernel
packagist.org/packages/symfony/symfony