GHSA-x6g4-fwcc-jj8w
Symfony has XXE (Local File Disclosure) in DomCrawler::addXmlContent() via validateOnParse = true
Details
### Description
`symfony/dom-crawler` provides the `Crawler` class for navigating HTML/XML documents with CSS/XPath selectors; `symfony/browser-kit`'s `HttpBrowser` uses it to parse fetched pages.
`Crawler::addXmlContent()` sets `DOMDocument::$validateOnParse = true` before calling `loadXML()`. Setting `validateOnParse` re-enables libxml's DTD subset processing, including external entity resolution, even though `LIBXML_NONET` is passed. `LIBXML_NONET` blocks **network** fetches but not `file://` entities. An attacker-supplied XML document with a `SYSTEM "file:///etc/passwd"` entity is therefore expanded.
### Resolution
The `Crawler::addXmlContent` method does not set the `validateOnParse` flag anymore.
The patch for this issue is available [here](https://github.com/symfony/symfony/commit/eea5fd7488cbdc241da4ce242344b7d9a3ecdf3d) for branch 5.4.
### Credits
Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 5.4.52 composer require symfony/dom-crawler:^5.4.52 0 Fixed in: 5.4.52 composer require symfony/symfony:^5.4.52 6.0.0 Fixed in: 6.4.40 composer require symfony/dom-crawler:^6.4.40 7.0.0 Fixed in: 7.4.12 composer require symfony/dom-crawler:^7.4.12 8.0.0 Fixed in: 8.0.12 composer require symfony/dom-crawler:^8.0.12 6.0.0 Fixed in: 6.4.40 composer require symfony/symfony:^6.4.40 7.0.0 Fixed in: 7.4.12 composer require symfony/symfony:^7.4.12 8.0.0 Fixed in: 8.0.12 composer require symfony/symfony:^8.0.12 References
- https://github.com/symfony/symfony/security/advisories/GHSA-x6g4-fwcc-jj8w [WEB]
- https://github.com/symfony/symfony/commit/eea5fd7488cbdc241da4ce242344b7d9a3ecdf3d [WEB]
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/dom-crawler/CVE-2026-45071.yaml [WEB]
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45071.yaml [WEB]
- https://github.com/symfony/symfony [PACKAGE]
- https://symfony.com/cve-2026-45071 [WEB]