Symfony UX Toolkit CVE-2026-55878
HIGHSeverity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Local console command (AV:L), no auth needed by the kit author (PR:N), but the victim must invoke `ux:install` against the malicious kit (UI:R); arbitrary file read/write yields full C/I/A impact.
Primary rating from Vendor (https://github.com/symfony/ux).
CVSS VectorVendor: https://github.com/symfony/ux
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Description
The ux:install console command installs files from a recipe kit by copying paths listed in a copy-files map. The only guard against malicious paths was Path::isRelative(), which returns true for paths like ../../../etc. Path::join() then resolves the .. segments without complaint, so the final path can escape the intended directory entirely. A crafted or compromised kit can therefore write attacker-controlled content to arbitrary locations on the developer's machine or CI runner.
Because the copy operation creates missing parent directories and can overwrite existing files silently (with --force or in non-interactive environments), an attacker who controls a kit can overwrite files such as controllers, git hooks, or .env to achieve code execution. The source side of copy-files is symmetrically affected, enabling local file reads outside the recipe directory.
Resolution
The fix introduces an Assert::pathDoesNotEscapeDirectory() helper that rejects any copy-files source or destination path containing a .. segment, regardless of whether / or \ is used as the separator. This check is enforced in both RecipeManifest (which also guards the source Finder) and File. As a last line of defense, the installer re-verifies the fully resolved paths with Path::isBasePath() immediately before each filesystem read and write.
Credits
Symfony would like to thank Pascal Cescon for reporting the issue and Hugo Alliaume for providing the fix.
AnalysisAI
Arbitrary file write and read in Symfony UX Toolkit's ux:install console command allows a crafted or compromised recipe kit to escape the intended installation directory and overwrite or read attacker-controlled files on a developer's machine or CI runner. Because overwriting controllers, git hooks, or .env files yields code execution, this path-traversal flaw escalates to local RCE, and no public exploit identified at time of analysis though the fix and root cause are documented in the upstream GHSA.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a victim to run the `ux:install` console command of `symfony/ux-toolkit` (versions 2.32.0-2.36.0 or 3.0.0-3.1.x) against an attacker-controlled recipe kit whose manifest contains `copy-files` entries with `..` segments. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H scores 7.8 and accurately reflects the threat model: a developer or CI job is tricked into running `ux:install` against a malicious kit (UI:R), giving high impact across C/I/A through arbitrary file overwrite that pivots to code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes (or compromises) a Symfony UX recipe kit that includes a `copy-files` entry such as `../../../../.git/hooks/post-merge` or `../../../../.env`. When a developer or CI pipeline runs `php bin/console ux:install` against that kit - particularly with `--force` or in a non-interactive shell - the installer silently overwrites the targeted file with attacker content, yielding code execution on the next git operation or application boot. |
| Remediation | Vendor-released patch: upgrade `symfony/ux-toolkit` to 2.36.1 on the 2.x branch or to 3.2.0 on the 3.x branch via `composer update symfony/ux-toolkit`, as documented in GHSA-p9xj-fpr2-jf2q (https://github.com/symfony/ux/security/advisories/GHSA-p9xj-fpr2-jf2q). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Disable or restrict all use of the ux:install command across development teams and CI/CD pipelines; audit recent usage for exposure to untrusted recipe sources. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-p9xj-fpr2-jf2q