Skip to main content

Symfony Monolog Bridge EUVDEUVD-2026-44330

| CVE-2026-45077 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-05-27 https://github.com/symfony/symfony GHSA-m7v2-7gxm-vc2v
8.3
CVSS 4.0 · Vendor: https://github.com/symfony/symfony
Share

Severity by source

Vendor (https://github.com/symfony/symfony) PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.6 HIGH

Unauthenticated network DoS is reliable against the default 0.0.0.0 bind (AV:N/AC:L/PR:N, A:H); object injection yields limited C/I, with full RCE only gadget-dependent, so C:L/I:L.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/symfony/symfony).

CVSS VectorVendor: https://github.com/symfony/symfony

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jul 14, 2026 - 18:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 14, 2026 - 18:22 vuln.today
cvss_changed
CVSS changed
Jul 14, 2026 - 18:22 NVD
8.3 (HIGH)
Source Code Evidence Fetched
May 27, 2026 - 21:50 vuln.today
Analysis Generated
May 27, 2026 - 21:50 vuln.today

DescriptionCVE.org

Description

Symfony\Bridge\Monolog\Command\ServerLogCommand (the server:log console command) is a development-time helper that opens a TCP listener and displays log records pushed to it by the application's logging pipeline. Two unsafe defaults combine into a remotely reachable PHP object-deserialization sink:

  1. The listener binds to 0.0.0.0:9911 by default; it accepts connections on every interface, not only loopback.
  2. Each received frame is processed as unserialize(base64_decode($message)) without an allowed_classes allowlist, without authentication, and without any integrity check. The decoded value is then passed to displayLog(..., array $record) which assumes (without validating) that the result is an array.

Any host that can reach TCP port 9911 on a machine running server:log can therefore submit attacker-chosen serialized PHP payloads. The minimum impact is an unauthenticated denial of service (sending a non-array, e.g. serialize(new stdClass()), crashes the listener with a type error). Object injection with magic-method side effects (__wakeup() / __destruct() / etc.) is reachable before the array type-check fires; full remote code execution is environment-dependent and contingent on usable gadget chains in the autoload set of the target process.

Resolution

The server:log command no longer binds to all interfaces by default: the default --host is now 127.0.0.1:9911, requiring explicit opt-in to accept off-host traffic. Message decoding is gated by an unserialize() allowlist restricted to the Symfony\Component\VarDumper\Caster\* and Symfony\Component\VarDumper\Cloner\* classes that legitimately appear inside dumped log records; any other class is rejected and the record discarded.

The patch for this issue is available here for branch 5.4.

Credits

Symfony would like to thank Toàn Thắng and Sam Sanoop for reporting the issue and Nicolas Grekas for fixing it.

AnalysisAI

Unauthenticated PHP object deserialization in Symfony's Monolog Bridge affects the development-time server:log console command, which by default binds its TCP log listener to 0.0.0.0:9911 and passes every received frame through unserialize(base64_decode(...)) with no allowed_classes allowlist, authentication, or integrity check. Any host that can reach port 9911 on a machine running server:log can crash the listener (unauthenticated DoS) or trigger PHP object injection whose magic-method side effects may reach remote code execution when a usable gadget chain exists in the target's autoload set. No public exploit identified at time of analysis; EPSS is low (0.99%, 77th percentile) and the flaw is not in CISA KEV, consistent with a dev-only tool rather than a production-facing service.

Technical ContextAI

The affected component is Symfony\Bridge\Monolog\Command\ServerLogCommand, a helper that opens a raw TCP socket to display log records forwarded by the application's Monolog pipeline. The root cause is CWE-502 (Deserialization of Untrusted Data): each frame is decoded with native PHP unserialize() on attacker-controlled bytes before the code validates that the result is an array, so object instantiation and magic methods (__wakeup(), __destruct()) execute prior to any type check. The unsafe default is compounded by the listener binding to all interfaces (0.0.0.0) rather than loopback. The commit diff confirms the fix: the default --host becomes 127.0.0.1:9911 and decoding is gated by unserialize(..., ['allowed_classes' => [Data::class, Stub::class]]), restricting instantiation to the VarDumper\Cloner classes that legitimately appear in dumped records. Affected packages per CPE are the Composer packages symfony/monolog-bridge and the symfony/symfony monorepo.

RemediationAI

Vendor-released patch: upgrade symfony/monolog-bridge (or symfony/symfony) to 5.4.52, 6.4.40, 7.4.12, or 8.0.12 depending on your branch - run composer update symfony/monolog-bridge to the appropriate fixed release. The fix changes the default listen host to 127.0.0.1:9911 and enforces an unserialize allowlist limited to Symfony\Component\VarDumper\Caster\* and Cloner\* classes. If you cannot patch immediately, do not run server:log on production or shared hosts, explicitly pass --host=127.0.0.1:9911 so the listener binds only to loopback instead of 0.0.0.0, and block or firewall inbound TCP 9911 from all untrusted networks; the trade-off is that binding to loopback prevents legitimate off-host log forwarding, which for a dev-only tool is generally acceptable. Reference the advisory at https://github.com/symfony/symfony/security/advisories/GHSA-m7v2-7gxm-vc2v and the fix commit https://github.com/symfony/symfony/commit/0891b2f293896c488e26943dc034334364b77fc4.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

EUVD-2026-44330 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy