Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated network DoS is reliable against the default 0.0.0.0 bind (AV:N/AC:L/PR:N, A:H); object injection yields limited C/I, with full RCE only gadget-dependent, so C:L/I:L.
Primary rating from Vendor (https://github.com/symfony/symfony).
CVSS VectorVendor: https://github.com/symfony/symfony
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Description
Symfony\Bridge\Monolog\Command\ServerLogCommand (the server:log console command) is a development-time helper that opens a TCP listener and displays log records pushed to it by the application's logging pipeline. Two unsafe defaults combine into a remotely reachable PHP object-deserialization sink:
- The listener binds to
0.0.0.0:9911by default; it accepts connections on every interface, not only loopback. - Each received frame is processed as
unserialize(base64_decode($message))without anallowed_classesallowlist, without authentication, and without any integrity check. The decoded value is then passed todisplayLog(..., array $record)which assumes (without validating) that the result is an array.
Any host that can reach TCP port 9911 on a machine running server:log can therefore submit attacker-chosen serialized PHP payloads. The minimum impact is an unauthenticated denial of service (sending a non-array, e.g. serialize(new stdClass()), crashes the listener with a type error). Object injection with magic-method side effects (__wakeup() / __destruct() / etc.) is reachable before the array type-check fires; full remote code execution is environment-dependent and contingent on usable gadget chains in the autoload set of the target process.
Resolution
The server:log command no longer binds to all interfaces by default: the default --host is now 127.0.0.1:9911, requiring explicit opt-in to accept off-host traffic. Message decoding is gated by an unserialize() allowlist restricted to the Symfony\Component\VarDumper\Caster\* and Symfony\Component\VarDumper\Cloner\* classes that legitimately appear inside dumped log records; any other class is rejected and the record discarded.
The patch for this issue is available here for branch 5.4.
Credits
Symfony would like to thank Toàn Thắng and Sam Sanoop for reporting the issue and Nicolas Grekas for fixing it.
AnalysisAI
Unauthenticated PHP object deserialization in Symfony's Monolog Bridge affects the development-time server:log console command, which by default binds its TCP log listener to 0.0.0.0:9911 and passes every received frame through unserialize(base64_decode(...)) with no allowed_classes allowlist, authentication, or integrity check. Any host that can reach port 9911 on a machine running server:log can crash the listener (unauthenticated DoS) or trigger PHP object injection whose magic-method side effects may reach remote code execution when a usable gadget chain exists in the target's autoload set. No public exploit identified at time of analysis; EPSS is low (0.99%, 77th percentile) and the flaw is not in CISA KEV, consistent with a dev-only tool rather than a production-facing service.
Technical ContextAI
The affected component is Symfony\Bridge\Monolog\Command\ServerLogCommand, a helper that opens a raw TCP socket to display log records forwarded by the application's Monolog pipeline. The root cause is CWE-502 (Deserialization of Untrusted Data): each frame is decoded with native PHP unserialize() on attacker-controlled bytes before the code validates that the result is an array, so object instantiation and magic methods (__wakeup(), __destruct()) execute prior to any type check. The unsafe default is compounded by the listener binding to all interfaces (0.0.0.0) rather than loopback. The commit diff confirms the fix: the default --host becomes 127.0.0.1:9911 and decoding is gated by unserialize(..., ['allowed_classes' => [Data::class, Stub::class]]), restricting instantiation to the VarDumper\Cloner classes that legitimately appear in dumped records. Affected packages per CPE are the Composer packages symfony/monolog-bridge and the symfony/symfony monorepo.
RemediationAI
Vendor-released patch: upgrade symfony/monolog-bridge (or symfony/symfony) to 5.4.52, 6.4.40, 7.4.12, or 8.0.12 depending on your branch - run composer update symfony/monolog-bridge to the appropriate fixed release. The fix changes the default listen host to 127.0.0.1:9911 and enforces an unserialize allowlist limited to Symfony\Component\VarDumper\Caster\* and Cloner\* classes. If you cannot patch immediately, do not run server:log on production or shared hosts, explicitly pass --host=127.0.0.1:9911 so the listener binds only to loopback instead of 0.0.0.0, and block or firewall inbound TCP 9911 from all untrusted networks; the trade-off is that binding to loopback prevents legitimate off-host log forwarding, which for a dev-only tool is generally acceptable. Reference the advisory at https://github.com/symfony/symfony/security/advisories/GHSA-m7v2-7gxm-vc2v and the fix commit https://github.com/symfony/symfony/commit/0891b2f293896c488e26943dc034334364b77fc4.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44330
GHSA-m7v2-7gxm-vc2v