GHSA-6439-2f28-8p8q
Synfony's HEAD Request Bypasses methods: ['GET'] Filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid]
Details
### Description
Symfony's `#[IsGranted('...')]`, `#[IsSignatureValid]`, and `#[IsCsrfTokenValid(...)]` attributes allow you to define a `methods: [...]` argument to only enforce these checks for the listed HTTP methods and skip them otherwise. E.g. an attribute defining `methods: ['GET']` would be ignored for a `HEAD` request.
On the other hand, Symfony's router (and HTTP semantics generally) serves `HEAD` requests using the `GET` handler. Therefore, a controller protected by e.g. `#[IsGranted('ROLE_ADMIN', methods: ['GET'])]` can be reached via `HEAD` with the authorization check silently skipped.
Even if the `HEAD` request won't get any response content, response headers leak (`Content-Length`, `Location`, custom headers). Also, the controller still executes and any side effects (DB writes, state changes) occur.
### Resolution
When adding `GET` in the `methods` option of these attributes, Symfony now also include the `HEAD` method automatically.
The patch for this issue is available [here](https://github.com/symfony/symfony/commit/fa8d5c67aa4b22c9656e3fd7d5c3aa59865bf838) for branch 7.4.
### Credits
Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and Alexandre Daubois for fixing it.
Are you affected?
Enter the version of the package you're using.
Affected packages
7.4.0 Fixed in: 7.4.12 composer require symfony/http-kernel:^7.4.12 8.0.0 Fixed in: 8.0.12 composer require symfony/http-kernel:^8.0.12 7.4.0 Fixed in: 7.4.12 composer require symfony/security-http:^7.4.12 8.0.0 Fixed in: 8.0.12 composer require symfony/security-http:^8.0.12 7.4.0 Fixed in: 7.4.12 composer require symfony/symfony:^7.4.12 8.0.0 Fixed in: 8.0.12 composer require symfony/symfony:^8.0.12 References
- https://github.com/symfony/symfony/security/advisories/GHSA-6439-2f28-8p8q [WEB]
- https://github.com/symfony/symfony/commit/fa8d5c67aa4b22c9656e3fd7d5c3aa59865bf838 [WEB]
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2026-45075.yaml [WEB]
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2026-45075.yaml [WEB]
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45075.yaml [WEB]
- https://github.com/symfony/symfony [PACKAGE]
- https://symfony.com/cve-2026-45075 [WEB]