Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remote unauthenticated attacker supplies XML with no added complexity (AV:N/AC:L/PR:N/UI:N); impact is local file disclosure so C:H, I:N, A:N; no code executes outside the component so S:N.
Primary rating from Vendor (https://github.com/symfony/symfony).
CVSS VectorVendor: https://github.com/symfony/symfony
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Description
symfony/dom-crawler provides the Crawler class for navigating HTML/XML documents with CSS/XPath selectors; symfony/browser-kit's HttpBrowser uses it to parse fetched pages.
Crawler::addXmlContent() sets DOMDocument::$validateOnParse = true before calling loadXML(). Setting validateOnParse re-enables libxml's DTD subset processing, including external entity resolution, even though LIBXML_NONET is passed. LIBXML_NONET blocks network fetches but not file:// entities. An attacker-supplied XML document with a SYSTEM "file:///etc/passwd" entity is therefore expanded.
Resolution
The Crawler::addXmlContent method does not set the validateOnParse flag anymore.
The patch for this issue is available here for branch 5.4.
Credits
Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
AnalysisAI
XML External Entity (XXE) local file disclosure in Symfony's DomCrawler component allows remote attackers to read arbitrary server-side files when an application parses attacker-controlled XML via Crawler::addXmlContent(). The method explicitly set DOMDocument::$validateOnParse = true, which re-enabled libxml DTD subset processing and external entity resolution; because LIBXML_NONET only blocks network fetches and not file:// entities, an entity such as SYSTEM "file:///etc/passwd" is expanded and its contents exposed. EPSS is very low (0.05%, 17th percentile) and there is no public exploit identified at time of analysis, though the vendor commit ships a demonstrative test case.
Technical ContextAI
The affected technology is Symfony's DomCrawler component (package composer/symfony/dom-crawler, also bundled in the symfony/symfony monolith), which wraps PHP's ext-dom / libxml DOMDocument to let developers navigate HTML and XML with CSS and XPath selectors. Symfony's BrowserKit HttpBrowser uses the same Crawler to parse fetched pages, broadening the exposure to HTTP client / crawling workflows. The root cause is CWE-611 (Improper Restriction of XML External Entity Reference): Crawler::addXmlContent() called DOMDocument::loadXML() with LIBXML_NONET but first toggled $validateOnParse = true. Enabling validation forces libxml to process the internal DTD subset, which includes resolving declared external entities; LIBXML_NONET stops http(s)/ftp network retrieval but does not restrict local file:// URIs, so external entities pointing at local files are still dereferenced and inlined into the parsed document text.
RemediationAI
Upgrade to a fixed release: Symfony 5.4.52, 6.4.40, 7.4.12, or 8.0.12 (Vendor-released patch confirmed via release tags and commit eea5fd7488cbdc241da4ce242344b7d9a3ecdf3d, which removes the $dom->validateOnParse = true line from Crawler::addXmlContent). Run composer update symfony/dom-crawler (or symfony/symfony) to the corresponding patched version for your branch. If you cannot upgrade immediately, avoid passing untrusted XML to Crawler::addXmlContent()/addContent() - parse third-party XML yourself with libxml_set_external_entity_loader() set to reject file:// (and non-http) URIs, or pre-strip/reject any DOCTYPE/DTD before handing content to the Crawler; the trade-off is added parsing code and potential breakage of legitimate documents that rely on a DTD. For HttpBrowser-based crawling, restrict which hosts/content are fetched and parsed. Advisory and patch references: https://github.com/symfony/symfony/security/advisories/GHSA-x6g4-fwcc-jj8w and https://github.com/symfony/symfony/commit/eea5fd7488cbdc241da4ce242344b7d9a3ecdf3d.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44368
GHSA-x6g4-fwcc-jj8w