Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable and unauthenticated (AV:N/PR:N/UI:N) but requires a specific non-default method-scoped guard (AC:H); high integrity from unguarded side effects, low confidentiality from header leak, no availability impact.
Primary rating from Vendor (https://github.com/symfony/symfony).
CVSS VectorVendor: https://github.com/symfony/symfony
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Description
Symfony's #[IsGranted('...')], #[IsSignatureValid], and #[IsCsrfTokenValid(...)] attributes allow you to define a methods: [...] argument to only enforce these checks for the listed HTTP methods and skip them otherwise. E.g. an attribute defining methods: ['GET'] would be ignored for a HEAD request.
On the other hand, Symfony's router (and HTTP semantics generally) serves HEAD requests using the GET handler. Therefore, a controller protected by e.g. #[IsGranted('ROLE_ADMIN', methods: ['GET'])] can be reached via HEAD with the authorization check silently skipped.
Even if the HEAD request won't get any response content, response headers leak (Content-Length, Location, custom headers). Also, the controller still executes and any side effects (DB writes, state changes) occur.
Resolution
When adding GET in the methods option of these attributes, Symfony now also include the HEAD method automatically.
The patch for this issue is available here for branch 7.4.
Credits
Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and Alexandre Daubois for fixing it.
AnalysisAI
Authorization bypass in Symfony 7.4.x (before 7.4.12) and 8.0.x (before 8.0.12) lets remote attackers reach controllers protected by #[IsGranted], #[IsSignatureValid], or #[IsCsrfTokenValid] attributes configured with methods: ['GET'] by sending an HTTP HEAD request, which the router dispatches to the GET handler while the security check is silently skipped. Affected controllers still execute - leaking response headers (Content-Length, Location, custom headers) and performing side effects such as database writes - despite the missing authorization, signature, or CSRF validation. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.05%), but the flaw is a genuine access-control gap fixed in 7.4.12 and 8.0.12.
Technical ContextAI
Symfony is a widely used PHP web framework. The affected code lives in the http-kernel and security-http Composer packages, specifically the attribute classes and their kernel event listeners (IsGrantedAttributeListener, IsSignatureValidAttributeListener, IsCsrfTokenValidAttributeListener). These attributes accept a methods argument so a check applies only to listed HTTP verbs; the listener compares the current request method against that list and skips enforcement when it does not match. Per HTTP/1.1 semantics (RFC 9110), a HEAD request is served by the same handler as GET but returns no body - Symfony's router therefore routes HEAD to the GET controller. Because the attribute list contained 'GET' but not 'HEAD', the method comparison failed for HEAD and the guard was bypassed while the controller still ran. This is a classic CWE-863 Incorrect Authorization: the access-control decision is keyed on an incomplete set of conditions. The fix normalizes methods to uppercase and automatically appends 'HEAD' whenever 'GET' is present, so HEAD is now covered by any GET-scoped check.
RemediationAI
Vendor-released patch: upgrade to Symfony 7.4.12 or 8.0.12 (run composer update symfony/http-kernel symfony/security-http, or symfony/symfony for the metapackage), which makes any methods list containing GET automatically include HEAD. The fixing commit is https://github.com/symfony/symfony/commit/fa8d5c67aa4b22c9656e3fd7d5c3aa59865bf838 and releases are tagged at https://github.com/symfony/symfony/releases/tag/v7.4.12 and https://github.com/symfony/symfony/releases/tag/v8.0.12. If you cannot patch immediately, the actionable interim control is to explicitly add 'HEAD' alongside 'GET' in the methods argument of every affected attribute (e.g. methods: ['GET', 'HEAD']), which closes the specific bypass at the application level; alternatively remove the methods restriction so the guard applies to all verbs. As an infrastructure-level compensating control, configure a reverse proxy or WAF to block or rewrite HEAD requests to protected routes - trade-off: this can break legitimate clients and caches that rely on HEAD for metadata/existence checks, so scope it narrowly to sensitive endpoints. Review the GHSA-6439-2f28-8p8q advisory before deploying any mitigation.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44350
GHSA-6439-2f28-8p8q