VDB
KO
LOW

GHSA-hmr5-2xcr-v8pp

Symfony Vulnerable to stored XSS in WebProfiler CodeExtension::fileExcerpt() — Unescaped Non-PHP File Rendering

Details

### Description

Symfony's profiler, a development only debug UI, renders source-code excerpts on several pages using Twig's custom `file_excerpt` filter. This filter renders PHP files via `highlight_string()` (which escapes HTML), but renders **non-PHP files** by splitting on `\n` and interpolating each line directly into `<code>{$line}</code>` with no escaping.

An attacker who can write arbitrary bytes into any file under the project root (including e.g. `var/log/dev.log`), achieves **stored XSS** against any developer who later opens that file in the profiler.

### Resolution

The `file_excerpt` filter now properly escapes each line of non-PHP files using `htmlspecialchars()` before concatenating them.

The patch for this issue is available [here](https://github.com/symfony/symfony/commit/863aa81c61166f1aa74b7732df316f76113acbdb) for branch 6.4.

### Credits

Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / symfony/symfony
Introduced in: 6.4.24 Fixed in: 6.4.40
Fix composer require symfony/symfony:^6.4.40
Packagist / symfony/symfony
Introduced in: 7.2.9 Fixed in: 7.4.12
Fix composer require symfony/symfony:^7.4.12
Packagist / symfony/symfony
Introduced in: 8.0.0 Fixed in: 8.0.12
Fix composer require symfony/symfony:^8.0.12
Packagist / symfony/twig-bridge
Introduced in: 6.4.24 Fixed in: 6.4.40
Fix composer require symfony/twig-bridge:^6.4.40
Packagist / symfony/web-profiler-bundle
Introduced in: 7.2.9 Fixed in: 7.4.12
Fix composer require symfony/web-profiler-bundle:^7.4.12
Packagist / symfony/web-profiler-bundle
Introduced in: 8.0.0 Fixed in: 8.0.12
Fix composer require symfony/web-profiler-bundle:^8.0.12

References