Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable SSRF bypass requiring no authentication to supply the URL; scope changes to internal systems (S:C); high confidentiality impact from internal service disclosure, low integrity from potential state-changing internal requests.
Primary rating from Vendor (https://github.com/symfony/symfony).
CVSS VectorVendor: https://github.com/symfony/symfony
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Description
Symfony\Component\HttpClient\NoPrivateNetworkHttpClient is documented as a decorator that blocks requests to private networks by default. The list of blocked subnets (Symfony\Component\HttpFoundation\IpUtils::PRIVATE_SUBNETS on 6.4+, a private constant in NoPrivateNetworkHttpClient on 5.4) enumerates RFC1918, loopback, link-local and IPv4-mapped IPv6 (::ffff:0:0/96) prefixes, but omits the remaining IPv6 transition forms that can embed a private IPv4 destination: 6to4 (2002::/16, RFC 3056), Teredo (2001::/32, RFC 4380), NAT64 (64:ff9b::/96, RFC 6052 and 64:ff9b:1::/48, RFC 8215) and IPv4-compatible IPv6 (::/96, RFC 4291 §2.5.5.1).
IpUtils::checkIp6() is a pure bitwise CIDR comparison against the constants list and never extracts the embedded IPv4, so an attacker who can supply a URL writes the loopback / RFC1918 IPv4 target as e.g. http://[2002:7f00:1::]/ (6to4 → 127.0.0.1), http://[64:ff9b::7f00:1]/ (NAT64 → 127.0.0.1), http://[::7f00:1]/ (IPv4-compatible → 127.0.0.1) or http://[2001::1]/ (Teredo). IpUtils::isPrivateIp() returns false and NoPrivateNetworkHttpClient dispatches the request.
Real-world reachability of the embedded IPv4 depends on the deploy's IPv6 routing (6to4 tunnel interface, upstream NAT64 gateway, kernel handling of IPv4-compatible addresses), but the security boundary the decorator promises - the dispatch decision - is crossed regardless of whether the packet ultimately lands on the embedded IPv4.
Resolution
The private-subnet list now includes ::/96, 2002::/16, 2001::/32, 64:ff9b::/96 and 64:ff9b:1::/48. Blanket blocking of these prefixes matches the policy applied by Chromium and Mozilla's Private Network Access; server-side HTTPS APIs are not legitimately published on these prefixes.
The patches for this issue are available here for branch 5.4 and here for branch 6.4 (and forward-ported to 7.4, 8.0 and 8.1).
Credits
Symfony would like to thank tonghuaroot for reporting the issue and Nicolas Grekas for providing the fix.
AnalysisAI
SSRF filter bypass in Symfony's NoPrivateNetworkHttpClient permits requests to private IPv4 addresses to be smuggled via four classes of IPv6 transition encodings - 6to4 (2002::/16), NAT64 (64:ff9b::/96 and 64:ff9b:1::/48), Teredo (2001::/32), and IPv4-compatible (::/96) - none of which appeared in the IpUtils::PRIVATE_SUBNETS blocklist. Any Symfony application on versions 5.4.0-5.4.52 or 6.4.0-8.0.12 that uses NoPrivateNetworkHttpClient as its SSRF guard and accepts attacker-controlled URLs is vulnerable to the filter bypass; actual packet delivery to the embedded private IPv4 is additionally gated by the server's IPv6 routing configuration. No public exploit code has been released and this CVE is not in CISA KEV, but the bypass payloads are fully enumerated in the official security advisory.
Technical ContextAI
Affected packages are composer/symfony/http-client (5.4 branch) and composer/symfony/http-foundation (6.4+ branches), identified via CPE strings pkg:composer/symfony_http-client and pkg:composer/symfony_http-foundation. The root cause is CWE-184 (Incomplete List of Disallowed Inputs): IpUtils::checkIp6() performs a pure bitwise CIDR prefix comparison against a hardcoded constant list and never decodes the IPv4 payload embedded within IPv6 transition addresses. IPv6 transition mechanisms each embed a 32-bit IPv4 address at a fixed bit offset - 6to4 (RFC 3056) stores it in bits 16-47 of the 2002::/16 prefix; NAT64 (RFC 6052/RFC 8215) in the low 32 bits of 64:ff9b::/96 and 64:ff9b:1::/48; Teredo (RFC 4380) encodes it obfuscated in the 2001::/32 prefix; IPv4-compatible (RFC 4291 §2.5.5.1) places it in the low 32 bits of ::/96. The existing blocklist already included ::ffff:0:0/96 (IPv4-mapped), demonstrating awareness of the pattern, but the four remaining transition forms were absent. The fix adds all five missing prefixes, aligning Symfony's policy with Chromium and Mozilla's Private Network Access specifications.
RemediationAI
Upgrade to the earliest patched release for your branch: symfony/http-client 5.4.53, or symfony/http-foundation 6.4.41, 7.4.13, or 8.0.13. The patches add the five missing IPv6 transition prefixes (::/96, 2002::/16, 2001::/32, 64:ff9b::/96, 64:ff9b:1::/48) to IpUtils::PRIVATE_SUBNETS and to NoPrivateNetworkHttpClient's private constant. Patch commits are at https://github.com/symfony/symfony/commit/82765368cf74177c36613575182f168a2eb765b2 (5.4 branch) and https://github.com/symfony/symfony/commit/85b831555be8ea1f43bf01078afe87bc4c92f65e (6.4+ branch). If immediate upgrade is not feasible, compensating controls include: blocking all outbound IPv6 traffic at the network firewall or cloud security group (eliminates the routing pathway for 6to4/NAT64 but does not fix the filter logic); restricting outbound HTTP from the application to an allowlisted proxy that enforces destination controls; and independently protecting cloud metadata endpoints such as 169.254.169.254 via instance-level firewall rules that do not rely on application-layer filtering. Note that disabling IPv6 at the OS level prevents 6to4 and NAT64 routing but may be operationally disruptive and does not address all transition forms.
The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote
Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before
Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb
Use-after-free vulnerability in the serializeToStream implementation in the XMLSerializer component in Mozilla Firefox b
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi
The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird befo
An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi
The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se
Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allow remo
The Firefox sandbox in Adobe Flash Player before 10.3.183.67 and 11.x before 11.6.602.171 on Windows and Mac OS X, and b
Same weakness CWE-184 – Incomplete List of Disallowed Inputs
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44372
GHSA-38cx-cq6f-5755