Symfony is vulnerable to Sensitive Information Disclosure. The vulnerability is due to the FragmentHandler considering all fragment render requests as coming from a trusted source, regardless of their origin, due to the inability to distinguish between legitimate ESI requests by a trusted proxy like Varnish and direct.