Symfony security-http CVE-2026-45074
MEDIUM
GHSA-j8gj-9rm5-4xhx
Lifecycle Timeline
2DescriptionNVD
Cas2Handler builds this service parameter from Request::getSchemeAndHttpHost(), which reflects the attacker-controlled HTTP Host header whenever Symfony's framework.trusted_hosts setting is not configured (the default). An attacker who controls any *other* application registered with the same CAS server can replay a victim's ticket against the Symfony application, with a spoofed Host header, and be authenticated as that victim.
Resolution
A new required service_url configuration option is introduced on Cas2Handler. The CAS service parameter sent to the validation endpoint is now built from this configured URL instead of being derived from the request's Host header, preventing cross-service ticket replay via Host header spoofing.
The patch for this issue is available here for branch 7.4.
Credits
Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and Nicolas Grekas for providing the fix.
AnalysisAI
Cross-service CAS ticket replay in Symfony's Cas2Handler enables an attacker who controls any co-registered CAS application to authenticate as an arbitrary victim user against the target Symfony application. The flaw exists because Cas2Handler constructs the CAS service validation URL from the HTTP Host header - an attacker-supplied value - rather than a statically configured URL, a condition that exists by default since framework.trusted_hosts is not configured in standard Symfony installations. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today