Skip to main content

Symfony HttpClient CVE-2026-48736

| EUVDEUVD-2026-44372 MEDIUM
Incomplete List of Disallowed Inputs (CWE-184)
2026-06-15 https://github.com/symfony/symfony GHSA-38cx-cq6f-5755
6.9
CVSS 4.0 · Vendor: https://github.com/symfony/symfony
Share

Severity by source

Vendor (https://github.com/symfony/symfony) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.3 CRITICAL

Network-reachable SSRF bypass requiring no authentication to supply the URL; scope changes to internal systems (S:C); high confidentiality impact from internal service disclosure, low integrity from potential state-changing internal requests.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N

Primary rating from Vendor (https://github.com/symfony/symfony).

CVSS VectorVendor: https://github.com/symfony/symfony

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jul 14, 2026 - 20:22 NVD
6.9 (MEDIUM)
Source Code Evidence Fetched
Jun 15, 2026 - 18:22 vuln.today
Analysis Generated
Jun 15, 2026 - 18:22 vuln.today

DescriptionCVE.org

Description

Symfony\Component\HttpClient\NoPrivateNetworkHttpClient is documented as a decorator that blocks requests to private networks by default. The list of blocked subnets (Symfony\Component\HttpFoundation\IpUtils::PRIVATE_SUBNETS on 6.4+, a private constant in NoPrivateNetworkHttpClient on 5.4) enumerates RFC1918, loopback, link-local and IPv4-mapped IPv6 (::ffff:0:0/96) prefixes, but omits the remaining IPv6 transition forms that can embed a private IPv4 destination: 6to4 (2002::/16, RFC 3056), Teredo (2001::/32, RFC 4380), NAT64 (64:ff9b::/96, RFC 6052 and 64:ff9b:1::/48, RFC 8215) and IPv4-compatible IPv6 (::/96, RFC 4291 §2.5.5.1).

IpUtils::checkIp6() is a pure bitwise CIDR comparison against the constants list and never extracts the embedded IPv4, so an attacker who can supply a URL writes the loopback / RFC1918 IPv4 target as e.g. http://[2002:7f00:1::]/ (6to4 → 127.0.0.1), http://[64:ff9b::7f00:1]/ (NAT64 → 127.0.0.1), http://[::7f00:1]/ (IPv4-compatible → 127.0.0.1) or http://[2001::1]/ (Teredo). IpUtils::isPrivateIp() returns false and NoPrivateNetworkHttpClient dispatches the request.

Real-world reachability of the embedded IPv4 depends on the deploy's IPv6 routing (6to4 tunnel interface, upstream NAT64 gateway, kernel handling of IPv4-compatible addresses), but the security boundary the decorator promises - the dispatch decision - is crossed regardless of whether the packet ultimately lands on the embedded IPv4.

Resolution

The private-subnet list now includes ::/96, 2002::/16, 2001::/32, 64:ff9b::/96 and 64:ff9b:1::/48. Blanket blocking of these prefixes matches the policy applied by Chromium and Mozilla's Private Network Access; server-side HTTPS APIs are not legitimately published on these prefixes.

The patches for this issue are available here for branch 5.4 and here for branch 6.4 (and forward-ported to 7.4, 8.0 and 8.1).

Credits

Symfony would like to thank tonghuaroot for reporting the issue and Nicolas Grekas for providing the fix.

AnalysisAI

SSRF filter bypass in Symfony's NoPrivateNetworkHttpClient permits requests to private IPv4 addresses to be smuggled via four classes of IPv6 transition encodings - 6to4 (2002::/16), NAT64 (64:ff9b::/96 and 64:ff9b:1::/48), Teredo (2001::/32), and IPv4-compatible (::/96) - none of which appeared in the IpUtils::PRIVATE_SUBNETS blocklist. Any Symfony application on versions 5.4.0-5.4.52 or 6.4.0-8.0.12 that uses NoPrivateNetworkHttpClient as its SSRF guard and accepts attacker-controlled URLs is vulnerable to the filter bypass; actual packet delivery to the embedded private IPv4 is additionally gated by the server's IPv6 routing configuration. No public exploit code has been released and this CVE is not in CISA KEV, but the bypass payloads are fully enumerated in the official security advisory.

Technical ContextAI

Affected packages are composer/symfony/http-client (5.4 branch) and composer/symfony/http-foundation (6.4+ branches), identified via CPE strings pkg:composer/symfony_http-client and pkg:composer/symfony_http-foundation. The root cause is CWE-184 (Incomplete List of Disallowed Inputs): IpUtils::checkIp6() performs a pure bitwise CIDR prefix comparison against a hardcoded constant list and never decodes the IPv4 payload embedded within IPv6 transition addresses. IPv6 transition mechanisms each embed a 32-bit IPv4 address at a fixed bit offset - 6to4 (RFC 3056) stores it in bits 16-47 of the 2002::/16 prefix; NAT64 (RFC 6052/RFC 8215) in the low 32 bits of 64:ff9b::/96 and 64:ff9b:1::/48; Teredo (RFC 4380) encodes it obfuscated in the 2001::/32 prefix; IPv4-compatible (RFC 4291 §2.5.5.1) places it in the low 32 bits of ::/96. The existing blocklist already included ::ffff:0:0/96 (IPv4-mapped), demonstrating awareness of the pattern, but the four remaining transition forms were absent. The fix adds all five missing prefixes, aligning Symfony's policy with Chromium and Mozilla's Private Network Access specifications.

RemediationAI

Upgrade to the earliest patched release for your branch: symfony/http-client 5.4.53, or symfony/http-foundation 6.4.41, 7.4.13, or 8.0.13. The patches add the five missing IPv6 transition prefixes (::/96, 2002::/16, 2001::/32, 64:ff9b::/96, 64:ff9b:1::/48) to IpUtils::PRIVATE_SUBNETS and to NoPrivateNetworkHttpClient's private constant. Patch commits are at https://github.com/symfony/symfony/commit/82765368cf74177c36613575182f168a2eb765b2 (5.4 branch) and https://github.com/symfony/symfony/commit/85b831555be8ea1f43bf01078afe87bc4c92f65e (6.4+ branch). If immediate upgrade is not feasible, compensating controls include: blocking all outbound IPv6 traffic at the network firewall or cloud security group (eliminates the routing pathway for 6to4/NAT64 but does not fix the filter logic); restricting outbound HTTP from the application to an allowlisted proxy that enforces destination controls; and independently protecting cloud metadata endpoints such as 169.254.169.254 via instance-level firewall rules that do not rely on application-layer filtering. Note that disabling IPv6 at the OS level prevents 6to4 and NAT64 routing but may be operationally disruptive and does not address all transition forms.

CVE-2015-4495 HIGH POC
8.8 Aug 08

The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote

CVE-2013-1690 HIGH POC
8.8 Jun 26

Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before

CVE-2013-0758 CRITICAL POC
9.3 Jan 13

Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb

CVE-2013-0753 CRITICAL POC
9.3 Jan 13

Use-after-free vulnerability in the serializeToStream implementation in the XMLSerializer component in Mozilla Firefox b

CVE-2012-3993 CRITICAL POC
9.3 Oct 10

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi

CVE-2013-1710 CRITICAL POC
10.0 Aug 07

The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird befo

CVE-2017-3823 HIGH POC
8.8 Feb 01

An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta

CVE-2014-8636 HIGH POC
7.5 Jan 14

The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with

CVE-2013-0757 CRITICAL POC
9.3 Jan 13

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi

CVE-2014-1510 CRITICAL POC
9.8 Mar 19

The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se

CVE-2014-1511 CRITICAL POC
9.8 Mar 19

Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allow remo

CVE-2013-0643 HIGH
8.8 Feb 27

The Firefox sandbox in Adobe Flash Player before 10.3.183.67 and 11.x before 11.6.602.171 on Windows and Mac OS X, and b

Share

CVE-2026-48736 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy