Vulnerable Library - symfony/runtime-v7.3.4
Enables decoupling PHP applications from global state
Library home page: https://api.github.com/repos/symfony/runtime/zipball/3550e2711e30bfa5d808514781cd52d1cc1d9e9f
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-47767
Vulnerable Library - symfony/runtime-v7.3.4
Enables decoupling PHP applications from global state
Library home page: https://api.github.com/repos/symfony/runtime/zipball/3550e2711e30bfa5d808514781cd52d1cc1d9e9f
Dependency Hierarchy:
- ❌ symfony/runtime-v7.3.4 (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Description CVE-2024-50340 (GHSA-x8vp-gf4q-mw5j) addressed an issue where, with "register_argc_argv=On", a crafted query string let an unauthenticated GET change the kernel environment and debug flag by feeding "--env"/"--no-debug" through "$_SERVER['argv']". The fix shipped in "symfony/runtime" 5.4.46 / 6.4.14 / 7.1.7 gated the argv read on "empty($_GET)" as a proxy for "is this a CLI invocation". That proxy is unsafe: "parse_str()" (which builds "$_GET") and the web SAPI (which builds "$_SERVER['argv']" from the raw query when "register_argc_argv=On") do not agree on every input, so an attacker can craft a query that leaves "$_GET" empty while "$_SERVER['argv']" carries the attacker's flags. "SymfonyRuntime::getInput()" then parses them, restoring the exact primitive CVE-2024-50340 was meant to prevent. Preconditions and impact match the original CVE: web SAPI, "register_argc_argv=On", app booted through "symfony/runtime"; from an unauthenticated GET an attacker can flip "APP_ENV" and toggle "APP_DEBUG". Resolution "SymfonyRuntime" now gates the argv read on "isset($_SERVER['QUERY_STRING'])" rather than on "empty($_GET)". "QUERY_STRING" is the same input the SAPI uses to build argv, so the security check and the thing it protects no longer parse different sources. Worker SAPIs (FrankenPHP / RoadRunner / Swoole) keep working because the runtime constructor runs once at boot when "QUERY_STRING" is unset. The patch for this issue is available "here" (symfony/symfony@3228c38) for branch 5.4. Credits SymfonyRuntime would like to thank 0xEr3n for reporting the issue and Nicolas Grekas for providing the fix.
Publish Date: 2026-06-10
URL: CVE-2026-47767
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-fqc7-9xjw-jrh3
Release Date: 2026-06-10
Fix Resolution: symfony/runtime - v7.4.12,symfony/runtime - v8.0.12,symfony/runtime - v5.4.52,symfony/runtime - v6.4.40,https://github.com/symfony/symfony.git - v7.4.12,https://github.com/symfony/symfony.git - v6.4.40,https://github.com/symfony/symfony.git - v8.0.12,https://github.com/symfony/symfony.git - v5.4.52
Enables decoupling PHP applications from global state
Library home page: https://api.github.com/repos/symfony/runtime/zipball/3550e2711e30bfa5d808514781cd52d1cc1d9e9f
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - symfony/runtime-v7.3.4
Enables decoupling PHP applications from global state
Library home page: https://api.github.com/repos/symfony/runtime/zipball/3550e2711e30bfa5d808514781cd52d1cc1d9e9f
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Description CVE-2024-50340 (GHSA-x8vp-gf4q-mw5j) addressed an issue where, with "register_argc_argv=On", a crafted query string let an unauthenticated GET change the kernel environment and debug flag by feeding "--env"/"--no-debug" through "$_SERVER['argv']". The fix shipped in "symfony/runtime" 5.4.46 / 6.4.14 / 7.1.7 gated the argv read on "empty($_GET)" as a proxy for "is this a CLI invocation". That proxy is unsafe: "parse_str()" (which builds "$_GET") and the web SAPI (which builds "$_SERVER['argv']" from the raw query when "register_argc_argv=On") do not agree on every input, so an attacker can craft a query that leaves "$_GET" empty while "$_SERVER['argv']" carries the attacker's flags. "SymfonyRuntime::getInput()" then parses them, restoring the exact primitive CVE-2024-50340 was meant to prevent. Preconditions and impact match the original CVE: web SAPI, "register_argc_argv=On", app booted through "symfony/runtime"; from an unauthenticated GET an attacker can flip "APP_ENV" and toggle "APP_DEBUG". Resolution "SymfonyRuntime" now gates the argv read on "isset($_SERVER['QUERY_STRING'])" rather than on "empty($_GET)". "QUERY_STRING" is the same input the SAPI uses to build argv, so the security check and the thing it protects no longer parse different sources. Worker SAPIs (FrankenPHP / RoadRunner / Swoole) keep working because the runtime constructor runs once at boot when "QUERY_STRING" is unset. The patch for this issue is available "here" (symfony/symfony@3228c38) for branch 5.4. Credits SymfonyRuntime would like to thank 0xEr3n for reporting the issue and Nicolas Grekas for providing the fix.
Publish Date: 2026-06-10
URL: CVE-2026-47767
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-fqc7-9xjw-jrh3
Release Date: 2026-06-10
Fix Resolution: symfony/runtime - v7.4.12,symfony/runtime - v8.0.12,symfony/runtime - v5.4.52,symfony/runtime - v6.4.40,https://github.com/symfony/symfony.git - v7.4.12,https://github.com/symfony/symfony.git - v6.4.40,https://github.com/symfony/symfony.git - v8.0.12,https://github.com/symfony/symfony.git - v5.4.52