CVE-2024-50345 Overview
CVE-2024-50345 is an Open Redirect vulnerability (CWE-601) in the symfony/http-foundation module of the Symfony PHP framework. The Request class fails to parse URIs with special characters in the same manner as web browsers, creating a discrepancy that attackers can exploit. This parsing inconsistency allows malicious actors to trick validators relying on the Request class to redirect users to attacker-controlled domains.
Critical Impact
Attackers can exploit this URI parsing discrepancy to redirect users to malicious websites, potentially facilitating phishing attacks, credential theft, or malware distribution through trusted Symfony applications.
Affected Products
- Symfony versions prior to 5.4.46
- Symfony versions 6.x prior to 6.4.14
- Symfony versions 7.x prior to 7.1.7
Discovery Timeline
- November 6, 2024 - CVE-2024-50345 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2024-50345
Vulnerability Analysis
This vulnerability stems from a fundamental inconsistency in how the Symfony Request class processes URIs compared to how web browsers interpret the same URIs. When special characters are present in a URI, browsers apply specific parsing rules defined by the WHATWG URL Specification. However, the Request class did not adhere to these same parsing standards, creating a security gap.
The attack exploits this parsing differential to bypass URL validation mechanisms. When an application uses Symfony's Request class to validate redirect destinations, an attacker can craft a URI that appears safe to the validator but actually redirects users to a malicious domain when processed by the browser. This is a classic Open Redirect scenario that can undermine user trust and enable secondary attacks such as credential harvesting.
Root Cause
The root cause lies in the Request::create method's URI parsing logic, which did not properly validate or reject URIs containing invalid characters as defined by the WHATWG URL specification. This permissive behavior allowed specially crafted URIs to pass validation while being interpreted differently by web browsers.
Attack Vector
The attack is network-based and requires user interaction. An attacker constructs a malicious URL containing special characters that exploit the parsing discrepancy. When a victim clicks the link to a trusted Symfony application, the application's redirect validation passes the malicious URL, and the user is redirected to an attacker-controlled site.
The vulnerability can be exploited through:
- Phishing campaigns using links to legitimate Symfony applications
- OAuth/SAML redirect parameter manipulation
- Any feature that accepts user-supplied redirect URLs and validates them using the Request class
Detection Methods for CVE-2024-50345
Indicators of Compromise
- Unusual redirect URLs containing special characters in application logs
- User complaints about unexpected redirections from your application
- Detection of outbound requests to unexpected external domains following user sessions
- Presence of encoded or special characters in redirect parameters that deviate from expected patterns
Detection Strategies
- Review web server and application logs for redirect requests containing unusual character sequences
- Implement monitoring for redirect chains that terminate at external domains
- Audit code paths using Request::create method with user-supplied URI data
- Use static analysis tools to identify redirect handling code that relies on Symfony's Request class validation
Monitoring Recommendations
- Set up alerts for redirect responses (HTTP 301, 302, 303, 307, 308) to external domains
- Monitor for increased traffic patterns to redirect endpoints
- Implement logging for all URL validation operations involving user-supplied data
- Track browser-reported security warnings that may indicate redirect abuse
How to Mitigate CVE-2024-50345
Immediate Actions Required
- Upgrade Symfony to patched versions: 5.4.46, 6.4.14, or 7.1.7 or later
- Review all application code that uses Request::create with user-supplied URIs
- Implement additional server-side validation for redirect URLs using allowlists
- Consider implementing Content Security Policy headers to restrict redirect destinations
Patch Information
Symfony has released security patches that update the Request::create method to properly validate URIs against the WHATWG URL specification, rejecting any URIs containing invalid characters. The fix ensures that the framework's URI parsing behavior aligns with browser behavior, eliminating the parsing discrepancy.
For detailed patch information, refer to the GitHub Security Advisory GHSA-mrqx-rp3w-jpjp.
Workarounds
- There are no known workarounds for this vulnerability according to the vendor advisory
- Upgrading to the patched versions is the only recommended remediation
- As a defense-in-depth measure, implement strict allowlisting for redirect destinations
- Consider using a separate URL validation library that adheres to WHATWG standards until upgrading is possible
# Update Symfony to patched versions using Composer
composer require symfony/http-foundation:^5.4.46
# Or for version 6.x
composer require symfony/http-foundation:^6.4.14
# Or for version 7.x
composer require symfony/http-foundation:^7.1.7
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
