CVE-2024-28859 Overview
CVE-2024-28859 is a critical insecure deserialization vulnerability affecting Symfony1, a community fork of the legacy symfony 1.4 framework. The vulnerability exists due to a gadget chain in the bundled Swift Mailer dependency that can enable remote code execution when developers unserialize untrusted user input within their applications.
Symfony1 has been bundled with Swift Mailer since version 1.3.0, with the library included by default in the vendor directory. The vulnerable Swift Mailer classes implement __destruct() methods that are invoked when PHP destroys objects in memory. An attacker can exploit the array access mechanism triggered during foreach($this->_keys ...) iterations by manipulating objects that implement the ArrayAccess interface, allowing arbitrary PHP command execution.
Critical Impact
This vulnerability enables remote code execution if an application deserializes untrusted user data. While not directly exploitable, it provides a potent attack vector when combined with unsafe deserialization patterns in application code.
Affected Products
- friendsofsymfony1 symfony1 (versions prior to 1.5.18)
- Applications bundled with vulnerable Swift Mailer versions (< 5.4.13 or < 6.2.5)
- PHP applications using Symfony1 that deserialize user-controlled input
Discovery Timeline
- 2024-03-15 - CVE CVE-2024-28859 published to NVD
- 2025-12-05 - Last updated in NVD database
Technical Details for CVE-2024-28859
Vulnerability Analysis
This vulnerability is classified as CWE-502 (Deserialization of Untrusted Data). The attack requires network access with high complexity, requiring no privileges or user interaction, but can change the scope of the attack to impact resources beyond the vulnerable component.
The gadget chain exploits PHP's object lifecycle during deserialization. When a serialized object is unserialized, PHP reconstructs the object and later calls magic methods like __destruct() when the object is garbage collected. Swift Mailer's implementation allows attackers to craft malicious serialized payloads that, when unserialized, can execute arbitrary PHP code through carefully constructed object references.
Root Cause
The root cause lies in the __destruct() methods implemented in Swift Mailer classes. These destructors iterate over internal arrays using constructs like foreach($this->_keys ...). Since PHP allows any object type to be included in $this->_keys, an attacker can inject objects implementing the ArrayAccess interface. When the foreach loop accesses these injected objects, it triggers the ArrayAccess::offsetGet() method, which can be chained to execute arbitrary code.
Attack Vector
The attack vector is network-based, though exploitation requires specific conditions in the target application. An attacker must:
- Identify an endpoint where the application deserializes user-controlled data
- Craft a malicious serialized payload containing the Swift Mailer gadget chain
- Submit the payload to the vulnerable endpoint
- The payload executes during PHP's object destruction phase
The security patch updated the Swift Mailer dependency to use a forked version with minimum versions that address the gadget chain:
[submodule "lib/vendor/swiftmailer"]
path = lib/vendor/swiftmailer
- url = https://github.com/swiftmailer/swiftmailer.git
+ url = https://github.com/FriendsOfSymfony1/swiftmailer.git
branch = 5.x
[submodule "lib/plugins/sfDoctrinePlugin/lib/vendor/doctrine"]
path = lib/plugins/sfDoctrinePlugin/lib/vendor/doctrine
Source: GitHub Commit
The composer.json was also updated to require the patched versions:
"license": "MIT",
"require": {
"php" : "^7.4 || ^8.1",
- "swiftmailer/swiftmailer": "^5.2 || ^6.0"
+ "friendsofsymfony1/swiftmailer": "^5.4.13 || ^6.2.5"
},
"require-dev": {
"psr/log": "*"
Source: GitHub Commit
Detection Methods for CVE-2024-28859
Indicators of Compromise
- Unusual serialized data in HTTP requests, particularly containing Swift Mailer class references
- PHP error logs showing unexpected object destructor calls or ArrayAccess method invocations
- Application logs with serialization-related errors or exceptions
- Network traffic containing base64-encoded or URL-encoded serialized PHP objects
Detection Strategies
- Monitor web application logs for requests containing serialized PHP objects (look for patterns like O: followed by class names)
- Implement Web Application Firewall (WAF) rules to detect and block serialized PHP payloads in request parameters
- Use static analysis tools to identify code paths where unserialize() is called on user-controlled data
- Audit application code for any usage of unserialize(), eval(), or similar dangerous functions with external input
Monitoring Recommendations
- Enable detailed PHP error logging to capture deserialization exceptions and unexpected object instantiation
- Configure intrusion detection systems to alert on patterns associated with PHP object injection attacks
- Monitor for unusual process spawning or command execution originating from the web server process
- Track dependency versions in your software bill of materials (SBOM) to identify vulnerable Swift Mailer installations
How to Mitigate CVE-2024-28859
Immediate Actions Required
- Upgrade Symfony1 to version 1.5.18 or later immediately
- Audit application code for any unserialize() calls that process user input
- Replace unserialize() with json_decode() where possible for handling user data
- If deserialization is required, implement strict input validation and use PHP's allowed_classes option
Patch Information
The vulnerability has been addressed in Symfony1 version 1.5.18. The patch updates the Swift Mailer dependency to use the FriendsOfSymfony1 fork with minimum versions 5.4.13 or 6.2.5, which contain fixes for the gadget chain. The security advisory and patch details are available in the GitHub Security Advisory. The specific commit implementing the fix can be reviewed at GitHub Commit edb850f.
Workarounds
- There are no known workarounds for this vulnerability; upgrading to version 1.5.18 is the recommended remediation
- As a defense-in-depth measure, avoid using unserialize() on any user-controlled input
- Consider implementing a content security policy to restrict code execution capabilities
- Use PHP's disable_functions directive to restrict dangerous functions like exec(), system(), and passthru()
# Update Symfony1 using Composer
composer require friendsofsymfony1/symfony1:^1.5.18
# Verify the Swift Mailer version meets minimum requirements
composer show friendsofsymfony1/swiftmailer
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
