GHSA-j8gj-9rm5-4xhx
Symfony's Cas2Handler Derives CAS service URL from Client Host Header → Cross-Service Ticket Replay
Details
`Cas2Handler` builds this `service` parameter from `Request::getSchemeAndHttpHost()`, which reflects the attacker-controlled HTTP `Host` header whenever Symfony's `framework.trusted_hosts` setting is not configured (the default). An attacker who controls any *other* application registered with the same CAS server can replay a victim's ticket against the Symfony application, with a spoofed `Host` header, and be authenticated as that victim.
### Resolution
A new required `service_url` configuration option is introduced on `Cas2Handler`. The CAS `service` parameter sent to the validation endpoint is now built from this configured URL instead of being derived from the request's `Host` header, preventing cross-service ticket replay via Host header spoofing.
The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5ba145dba702404801bdf9e7e8d6df170060d541) for branch 7.4.
### Credits
Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and Nicolas Grekas for providing the fix.
Are you affected?
Enter the version of the package you're using.
Affected packages
7.1.0 Fixed in: 7.4.12 composer require symfony/security-http:^7.4.12 8.0.0 Fixed in: 8.0.12 composer require symfony/security-http:^8.0.12 7.1.0 Fixed in: 7.4.12 composer require symfony/symfony:^7.4.12 8.0.0 Fixed in: 8.0.12 composer require symfony/symfony:^8.0.12 References
- https://github.com/symfony/symfony/security/advisories/GHSA-j8gj-9rm5-4xhx [WEB]
- https://github.com/symfony/symfony/commit/5ba145dba702404801bdf9e7e8d6df170060d541 [WEB]
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2026-45074.yaml [WEB]
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45074.yaml [WEB]
- https://github.com/symfony/symfony [PACKAGE]
- https://symfony.com/cve-2026-45074 [WEB]