CVE-2020-15094 Overview
CVE-2020-15094 is a Remote Code Execution (RCE) vulnerability affecting the Symfony PHP framework's CachingHttpClient class. The vulnerability exists in the HttpClient component, where the HttpCache class uses internal headers (X-Body-Eval and X-Body-File) to control cached response restoration. Originally designed for surrogate caching and ESI (Edge Side Includes) support scenarios where all HTTP calls originate from trusted backends, these internal headers become a critical attack surface when used with CachingHttpClient in untrusted contexts.
Critical Impact
Attackers who can control the response for a request made by CachingHttpClient can achieve remote code execution on the server by manipulating internal cache headers.
Affected Products
- SensioLabs Symfony versions before 4.4.13 and 5.1.5
- SensioLabs HttpClient component
- Fedora Project Fedora 32 and 33
Discovery Timeline
- September 2, 2020 - CVE-2020-15094 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2020-15094
Vulnerability Analysis
This vulnerability stems from improper encapsulation of information (CWE-212) in Symfony's HTTP caching implementation. The HttpCache class was designed with an implicit trust model where internal control headers would only be set by trusted backend systems. However, when the CachingHttpClient class leverages HttpCache to cache HTTP responses from external sources, this trust assumption breaks down.
The X-Body-Eval header allows specifying PHP code for execution during cache restoration, while X-Body-File can specify arbitrary file paths. If an attacker can influence the response returned to a CachingHttpClient request—such as through a compromised upstream server or man-in-the-middle attack—they can inject these internal headers and achieve code execution when the cached response is subsequently restored.
Root Cause
The root cause is the improper separation between internal control mechanisms and externally-controllable data. The HttpCache class was initially written for ESI/surrogate caching scenarios where all responses come from trusted backend infrastructure. The introduction of CachingHttpClient created a new attack surface where external, potentially malicious responses could include internal control headers that would be processed as trusted directives.
Attack Vector
The attack requires the ability to control or influence HTTP responses received by an application using CachingHttpClient. This could occur through:
- Compromising an upstream server that the application makes requests to
- Man-in-the-middle attacks between the application and remote services
- DNS hijacking to redirect requests to attacker-controlled servers
- Cache poisoning in intermediate proxies
Once the attacker can inject responses containing X-Body-Eval or X-Body-File headers, the malicious content is cached and executed when the cache entry is restored.
// Security patch in src/Symfony/Component/HttpKernel/HttpClientKernel.php
// Removes internal headers from HttpClient responses to prevent RCE
$response = new Response($response->getContent(!$catch), $response->getStatusCode(), $response->getHeaders(!$catch));
+ $response->headers->remove('X-Body-File');
+ $response->headers->remove('X-Body-Eval');
+ $response->headers->remove('X-Content-Digest');
+
$response->headers = new class($response->headers->all()) extends ResponseHeaderBag {
protected function computeCacheControlValue(): string
{
Source: GitHub Security Commit
Detection Methods for CVE-2020-15094
Indicators of Compromise
- Unexpected presence of X-Body-Eval, X-Body-File, or X-Content-Digest headers in HTTP responses from external services
- Anomalous PHP code execution patterns originating from the HTTP caching subsystem
- Unusual file access patterns related to cache restoration operations
Detection Strategies
- Monitor web application firewall (WAF) logs for responses containing X-Body-Eval or X-Body-File headers
- Implement application-level logging to detect when internal Symfony headers are present in external HTTP responses
- Review cache directories for unexpected or suspicious cached content
Monitoring Recommendations
- Deploy SentinelOne Singularity to detect anomalous process execution patterns indicative of RCE exploitation
- Configure alerting for any PHP process executing code from unexpected contexts or cache-related paths
- Establish baseline monitoring for outbound HTTP connections from Symfony applications to detect communication with potentially compromised upstream servers
How to Mitigate CVE-2020-15094
Immediate Actions Required
- Upgrade Symfony to version 4.4.13 or later for the 4.x branch
- Upgrade Symfony to version 5.1.5 or later for the 5.x branch
- Audit all applications using CachingHttpClient to identify potential exposure
- Review upstream services and network security to minimize response manipulation risks
Patch Information
The vulnerability has been fixed in Symfony versions 4.4.13 and 5.1.5. The fix removes the internal control headers (X-Body-File, X-Body-Eval, X-Content-Digest) from responses processed by HttpClientKernel before they can be cached. This ensures that even if an attacker injects these headers into a response, they are stripped before reaching the caching layer.
For detailed patch information, see the GitHub Security Commit and the GitHub Security Advisory.
Workarounds
- If immediate patching is not possible, consider disabling HTTP response caching in applications using CachingHttpClient until the upgrade can be performed
- Implement strict TLS verification and certificate pinning for upstream services to reduce MITM attack risks
- Deploy network-level filtering to strip X-Body-Eval and X-Body-File headers from incoming responses at the reverse proxy layer
# Composer command to update Symfony to patched versions
composer require symfony/http-kernel:^4.4.13 symfony/http-client:^4.4.13
# Or for Symfony 5.x
composer require symfony/http-kernel:^5.1.5 symfony/http-client:^5.1.5
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
