GHSA-7MX2-7Q8P-PGMW

GHSA-7MX2-7Q8P-PGMW is a medium-severity improper authentication vulnerability in symfony/symfony (composer), affecting versions >= 2.0.0, < 2.0.6. It is fixed in 2.0.6.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

Symfony may allow a user to switch to using another user's identity

Symfony 2.0.6 has just been released. It addresses a security vulnerability in the EntityUserProvider as provided in the Doctrine bridge.

If you let your users update their login/username from a form, and if you are using Doctrine as a user provider, then you are vulnerable and you should upgrade as soon as possible.

The issue is that it is possible for a user to switch to another one. Here is how to reproduce it: The current user changes its username via a form to another existing username. When the form is submitted, he will have a validation error (as the username already exists) but the user object in the session will still be modified to the new username. This user from the session will be used for the next requests and so the user will be switched to this other user.

The fix is to always refresh the user via the primary key (which cannot be updated via a form) instead of the username.

If you cannot upgrade immediately, please apply the following patch: https://github.com/symfony/symfony/commit/9d2ab9ca9c1762

Impact

The application does not adequately verify the identity of a user, device, or process before granting access. Typical impact: unauthorized access to functions or data reserved for authenticated parties.

GHSA-7MX2-7Q8P-PGMW has a CVSS score of 6.5 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.0.6); upgrading removes the vulnerable code path.

Affected versions

symfony/symfony (>= 2.0.0, < 2.0.6)

Security releases

symfony/symfony → 2.0.6 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

Upgrade symfony/symfony to 2.0.6 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is GHSA-7MX2-7Q8P-PGMW? GHSA-7MX2-7Q8P-PGMW is a medium-severity improper authentication vulnerability in symfony/symfony (composer), affecting versions >= 2.0.0, < 2.0.6. It is fixed in 2.0.6. The application does not adequately verify the identity of a user, device, or process before granting access.
  2. How severe is GHSA-7MX2-7Q8P-PGMW? GHSA-7MX2-7Q8P-PGMW has a CVSS score of 6.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of symfony/symfony are affected by GHSA-7MX2-7Q8P-PGMW? symfony/symfony (composer) versions >= 2.0.0, < 2.0.6 is affected.
  4. Is there a fix for GHSA-7MX2-7Q8P-PGMW? Yes. GHSA-7MX2-7Q8P-PGMW is fixed in 2.0.6. Upgrade to this version or later.
  5. Is GHSA-7MX2-7Q8P-PGMW exploitable, and should I be worried? Whether GHSA-7MX2-7Q8P-PGMW is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-7MX2-7Q8P-PGMW is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix GHSA-7MX2-7Q8P-PGMW? Upgrade symfony/symfony to 2.0.6 or later.

Other vulnerabilities in symfony/symfony

Stop the waste.
Protect your environment with Kodem.