Skip to main content

Symfony DomCrawler EUVDEUVD-2026-44368

| CVE-2026-45071 HIGH
Improper Restriction of XML External Entity Reference (CWE-611)
2026-05-27 https://github.com/symfony/symfony GHSA-x6g4-fwcc-jj8w
8.7
CVSS 4.0 · Vendor: https://github.com/symfony/symfony
Share

Severity by source

Vendor (https://github.com/symfony/symfony) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Remote unauthenticated attacker supplies XML with no added complexity (AV:N/AC:L/PR:N/UI:N); impact is local file disclosure so C:H, I:N, A:N; no code executes outside the component so S:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:N/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/symfony/symfony).

CVSS VectorVendor: https://github.com/symfony/symfony

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jul 14, 2026 - 20:34 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 14, 2026 - 20:22 vuln.today
cvss_changed
CVSS changed
Jul 14, 2026 - 20:22 NVD
8.7 (HIGH)
Source Code Evidence Fetched
May 27, 2026 - 22:16 vuln.today
Analysis Generated
May 27, 2026 - 22:16 vuln.today

DescriptionCVE.org

Description

symfony/dom-crawler provides the Crawler class for navigating HTML/XML documents with CSS/XPath selectors; symfony/browser-kit's HttpBrowser uses it to parse fetched pages.

Crawler::addXmlContent() sets DOMDocument::$validateOnParse = true before calling loadXML(). Setting validateOnParse re-enables libxml's DTD subset processing, including external entity resolution, even though LIBXML_NONET is passed. LIBXML_NONET blocks network fetches but not file:// entities. An attacker-supplied XML document with a SYSTEM "file:///etc/passwd" entity is therefore expanded.

Resolution

The Crawler::addXmlContent method does not set the validateOnParse flag anymore.

The patch for this issue is available here for branch 5.4.

Credits

Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.

AnalysisAI

XML External Entity (XXE) local file disclosure in Symfony's DomCrawler component allows remote attackers to read arbitrary server-side files when an application parses attacker-controlled XML via Crawler::addXmlContent(). The method explicitly set DOMDocument::$validateOnParse = true, which re-enabled libxml DTD subset processing and external entity resolution; because LIBXML_NONET only blocks network fetches and not file:// entities, an entity such as SYSTEM "file:///etc/passwd" is expanded and its contents exposed. EPSS is very low (0.05%, 17th percentile) and there is no public exploit identified at time of analysis, though the vendor commit ships a demonstrative test case.

Technical ContextAI

The affected technology is Symfony's DomCrawler component (package composer/symfony/dom-crawler, also bundled in the symfony/symfony monolith), which wraps PHP's ext-dom / libxml DOMDocument to let developers navigate HTML and XML with CSS and XPath selectors. Symfony's BrowserKit HttpBrowser uses the same Crawler to parse fetched pages, broadening the exposure to HTTP client / crawling workflows. The root cause is CWE-611 (Improper Restriction of XML External Entity Reference): Crawler::addXmlContent() called DOMDocument::loadXML() with LIBXML_NONET but first toggled $validateOnParse = true. Enabling validation forces libxml to process the internal DTD subset, which includes resolving declared external entities; LIBXML_NONET stops http(s)/ftp network retrieval but does not restrict local file:// URIs, so external entities pointing at local files are still dereferenced and inlined into the parsed document text.

RemediationAI

Upgrade to a fixed release: Symfony 5.4.52, 6.4.40, 7.4.12, or 8.0.12 (Vendor-released patch confirmed via release tags and commit eea5fd7488cbdc241da4ce242344b7d9a3ecdf3d, which removes the $dom->validateOnParse = true line from Crawler::addXmlContent). Run composer update symfony/dom-crawler (or symfony/symfony) to the corresponding patched version for your branch. If you cannot upgrade immediately, avoid passing untrusted XML to Crawler::addXmlContent()/addContent() - parse third-party XML yourself with libxml_set_external_entity_loader() set to reject file:// (and non-http) URIs, or pre-strip/reject any DOCTYPE/DTD before handing content to the Crawler; the trade-off is added parsing code and potential breakage of legitimate documents that rely on a DTD. For HttpBrowser-based crawling, restrict which hosts/content are fetched and parsed. Advisory and patch references: https://github.com/symfony/symfony/security/advisories/GHSA-x6g4-fwcc-jj8w and https://github.com/symfony/symfony/commit/eea5fd7488cbdc241da4ce242344b7d9a3ecdf3d.

Share

EUVD-2026-44368 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy