Skip to main content

Symfony UX Toolkit CVE-2026-55878

HIGH
Path Traversal (CWE-22)
2026-06-19 https://github.com/symfony/ux GHSA-p9xj-fpr2-jf2q
7.8
CVSS 3.1 · Vendor: https://github.com/symfony/ux
Share

Severity by source

Vendor (https://github.com/symfony/ux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local console command (AV:L), no auth needed by the kit author (PR:N), but the victim must invoke `ux:install` against the malicious kit (UI:R); arbitrary file read/write yields full C/I/A impact.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/symfony/ux).

CVSS VectorVendor: https://github.com/symfony/ux

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 19, 2026 - 23:36 vuln.today
Analysis Generated
Jun 19, 2026 - 23:36 vuln.today

DescriptionCVE.org

Description

The ux:install console command installs files from a recipe kit by copying paths listed in a copy-files map. The only guard against malicious paths was Path::isRelative(), which returns true for paths like ../../../etc. Path::join() then resolves the .. segments without complaint, so the final path can escape the intended directory entirely. A crafted or compromised kit can therefore write attacker-controlled content to arbitrary locations on the developer's machine or CI runner.

Because the copy operation creates missing parent directories and can overwrite existing files silently (with --force or in non-interactive environments), an attacker who controls a kit can overwrite files such as controllers, git hooks, or .env to achieve code execution. The source side of copy-files is symmetrically affected, enabling local file reads outside the recipe directory.

Resolution

The fix introduces an Assert::pathDoesNotEscapeDirectory() helper that rejects any copy-files source or destination path containing a .. segment, regardless of whether / or \ is used as the separator. This check is enforced in both RecipeManifest (which also guards the source Finder) and File. As a last line of defense, the installer re-verifies the fully resolved paths with Path::isBasePath() immediately before each filesystem read and write.

Credits

Symfony would like to thank Pascal Cescon for reporting the issue and Hugo Alliaume for providing the fix.

AnalysisAI

Arbitrary file write and read in Symfony UX Toolkit's ux:install console command allows a crafted or compromised recipe kit to escape the intended installation directory and overwrite or read attacker-controlled files on a developer's machine or CI runner. Because overwriting controllers, git hooks, or .env files yields code execution, this path-traversal flaw escalates to local RCE, and no public exploit identified at time of analysis though the fix and root cause are documented in the upstream GHSA.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Publish malicious recipe kit
Delivery
Victim runs `ux:install` against kit
Exploit
`copy-files` traversal escapes target dir
Execution
Overwrite `.env` or git hook
Impact
Code execution on next trigger

Vulnerability AssessmentAI

Exploitation Exploitation requires a victim to run the `ux:install` console command of `symfony/ux-toolkit` (versions 2.32.0-2.36.0 or 3.0.0-3.1.x) against an attacker-controlled recipe kit whose manifest contains `copy-files` entries with `..` segments. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H scores 7.8 and accurately reflects the threat model: a developer or CI job is tricked into running `ux:install` against a malicious kit (UI:R), giving high impact across C/I/A through arbitrary file overwrite that pivots to code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes (or compromises) a Symfony UX recipe kit that includes a `copy-files` entry such as `../../../../.git/hooks/post-merge` or `../../../../.env`. When a developer or CI pipeline runs `php bin/console ux:install` against that kit - particularly with `--force` or in a non-interactive shell - the installer silently overwrites the targeted file with attacker content, yielding code execution on the next git operation or application boot.
Remediation Vendor-released patch: upgrade `symfony/ux-toolkit` to 2.36.1 on the 2.x branch or to 3.2.0 on the 3.x branch via `composer update symfony/ux-toolkit`, as documented in GHSA-p9xj-fpr2-jf2q (https://github.com/symfony/ux/security/advisories/GHSA-p9xj-fpr2-jf2q). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Disable or restrict all use of the ux:install command across development teams and CI/CD pipelines; audit recent usage for exposure to untrusted recipe sources. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55878 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy